CVE-2026-40521
FrontAccounting < 2.4.20 Path Traversal RCE via attachment upload
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 8.7EPSS 0.6%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado
Lifecycle
29 Jun 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
FrontAccounting before 2.4.20 contains a path traversal vulnerability in the attachment upload handler that allows authenticated attackers to execute arbitrary code by uploading files with traversal sequences in the unique_name parameter. Attackers can supply path traversal sequences ../../../shell.php to write files outside the intended attachments directory into the web root, and by uploading PHP files without extension validation, achieve remote code execution as the web server user.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
FrontAccounting · FrontAccountingpublic PoCs found — 1
cve_referencejivasecurity.com/writeups/frontaccounting-rce-attachment-upload-cve-2026-40521unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/FrontAccountingERP/FA/commit/701fea6848da4a02fb83d30f07a9c0473d6b7e33https://jivasecurity.com/writeups/frontaccounting-rce-attachment-upload-cve-2026-40521https://sourceforge.net/p/frontaccounting/news/2026/04/release-2420/https://www.vulncheck.com/advisories/frontaccounting-path-traversal-rce-via-attachment-upload