CVE-2026-28270
Kiteworks Core has an Unrestricted Upload of File with Dangerous Type
In short
Kiteworks allows administrators to upload files without checking their type or safety, letting them add dangerous files to the system. This matters because it could let attackers store harmful content on the network.
Technical detail
CWE-434 vulnerability in Kiteworks prior to v9.2.0 permits unrestricted file uploads due to insufficient type validation on administrator-accessible endpoints. An authenticated malicious admin can upload arbitrary file types, potentially enabling code execution or data exfiltration depending on how uploaded files are processed. Fixed in version 9.2.0.
Summary generated and translated by AI from the official description.
Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks configuration allows uploading of arbitrary files without proper validation. Malicious administrators could exploit this to upload unauthorized file types to the system. Version 9.2.0 contains a patch for the issue.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Affected products
kiteworks · security-advisoriesWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →