ByteOS Network

szadmin

Source -

NVD

BOS Name -

N/A

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

3Vulnerabilities found

CVE-2026-3187

Assigner-VulDB

View Details

Assigner-VulDB

CVSS Score-5.3||MEDIUM

EPSS-0.06% / 17.43%

7 Day CHG~0.00%

Published-25 Feb, 2026 | 14:32

Updated-26 Feb, 2026 | 15:11

feiyuchuixue sz-boot-parent API Endpoint upload unrestricted upload

A vulnerability was identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this issue is some unknown functionality of the file /api/admin/sys-file/upload of the component API Endpoint. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit is publicly available and might be used. Upgrading to version 1.3.3-beta can resolve this issue. The name of the patch is aefaabfd7527188bfba3c8c9eee17c316d094802. Upgrading the affected component is recommended. The project was informed beforehand and acted very professional: "We have introduced a whitelist restriction on the /api/admin/sys-file/upload endpoint via the oss.allowedExts and oss.allowedMimeTypes configuration options, allowing the specification of permitted file extensions and MIME types for uploads."

Vendor-szadmin feiyuchuixue

Product-sz-boot-parent sz-boot-parent

CWE ID-CWE-284

Improper Access Control

CWE ID-CWE-434

Unrestricted Upload of File with Dangerous Type

CVE-2026-3186

Assigner-VulDB

View Details

Assigner-VulDB

CVSS Score-5.3||MEDIUM

EPSS-0.03% / 7.49%

7 Day CHG~0.00%

Published-25 Feb, 2026 | 13:32

Updated-26 Feb, 2026 | 15:53

feiyuchuixue sz-boot-parent Password Reset password default password

A vulnerability was determined in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this vulnerability is an unknown functionality of the file /api/admin/sys-user/reset/password/ of the component Password Reset Handler. This manipulation of the argument userId causes use of default password. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.3.3-beta addresses this issue. Patch name: aefaabfd7527188bfba3c8c9eee17c316d094802. It is suggested to upgrade the affected component. The project was informed beforehand and acted very professional: "We have added authorization validation to the password reset interface; now only users with the corresponding permissions are allowed to perform password resets."

Vendor-szadmin feiyuchuixue

Product-sz-boot-parent sz-boot-parent

CWE ID-CWE-1393

Use of Default Password

CVE-2026-3185

Assigner-VulDB

View Details

Assigner-VulDB

CVSS Score-6.9||MEDIUM

EPSS-0.03% / 9.64%

7 Day CHG~0.00%

Published-25 Feb, 2026 | 13:32

Updated-26 Feb, 2026 | 15:57

feiyuchuixue sz-boot-parent API Endpoint sys-message authorization

A vulnerability was found in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected is an unknown function of the file /api/admin/sys-message/ of the component API Endpoint. The manipulation of the argument messageId results in authorization bypass. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 1.3.3-beta is able to address this issue. The patch is identified as aefaabfd7527188bfba3c8c9eee17c316d094802. The affected component should be upgraded. The project was informed beforehand and acted very professional: "We have implemented message ownership verification, so that users can only query messages related to themselves."

Vendor-szadmin feiyuchuixue

Product-sz-boot-parent sz-boot-parent

CWE ID-CWE-285

Improper Authorization

CWE ID-CWE-639

Authorization Bypass Through User-Controlled Key