Platform
other
Component
aenrich-ahcm
Opgelost in
8.1.1
CVE-2026-6835 describes an Arbitrary File Access vulnerability discovered in a+HCM, a product developed by aEnrich. This vulnerability allows unauthenticated remote attackers to upload arbitrary files to any path on the system. The affected versions range from 0.0.0 to 8.1. A patch is expected to be released by aEnrich to address this issue.
The primary impact of CVE-2026-6835 is the ability for an attacker to upload arbitrary files to the a+HCM server. This can be exploited to inject malicious HTML documents, potentially leading to cross-site scripting (XSS) attacks. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of a user's browser, leading to session hijacking, data theft, or defacement of the application. The lack of authentication required for file upload significantly broadens the attack surface, making this vulnerability particularly concerning. While the description doesn't explicitly mention it, the ability to upload executable files could also lead to remote code execution (RCE) depending on the server's configuration and file permissions.
CVE-2026-6835 was publicly disclosed on 2026-04-22. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code has been released. The vulnerability has not been added to the CISA KEV catalog. The CVSS score of 6.1 (Medium) indicates a moderate risk level, suggesting that exploitation is possible but not necessarily widespread.
Organizations using a+HCM in environments with limited security controls are particularly at risk. This includes deployments where file upload functionality is exposed to unauthenticated users or where input validation is inadequate. Shared hosting environments utilizing a+HCM are also at increased risk due to the potential for cross-tenant exploitation.
disclosure
Exploit Status
EPSS
0.03% (9% percentiel)
CISA SSVC
CVSS-vector
The immediate mitigation for CVE-2026-6835 is to upgrade to a patched version of a+HCM as soon as it becomes available from aEnrich. Until a patch is available, consider implementing strict file upload validation on the server-side to prevent the upload of potentially malicious files. This should include whitelisting allowed file extensions and validating file content. Web Application Firewalls (WAFs) can be configured to block suspicious file upload attempts based on file type, size, and content. Monitor a+HCM server logs for unusual file upload activity, particularly uploads from unknown or untrusted sources. Restrict file upload directories to prevent attackers from writing files outside of the intended upload location.
Actualice a una versión corregida de a+HCM. Consulte la documentación del proveedor o las alertas de seguridad para obtener instrucciones específicas sobre cómo aplicar la corrección. Asegúrese de revisar y fortalecer las políticas de seguridad relacionadas con la carga de archivos para prevenir futuros ataques.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-6835 is a vulnerability in a+HCM allowing unauthenticated attackers to upload arbitrary files, potentially leading to XSS-like effects. It has a Medium severity rating.
You are affected if you are using a+HCM versions between 0.0.0 and 8.1. Check with aEnrich for specific version details and upgrade instructions.
The recommended fix is to upgrade to a patched version of a+HCM as soon as it becomes available. Until then, implement strict file upload validation and WAF rules.
Currently, there is no indication of active exploitation in the wild or publicly available proof-of-concept code.
Refer to the aEnrich website or their security advisory page for the official advisory regarding CVE-2026-6835.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.