Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-36760 -- CVSS 9.6 Vulnerability Briefing

CVE-2026-36760 | CVSS 9.6 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-36760 is a path traversal and arbitrary file write vulnerability in JeeSite v5.15.1, specifically affecting the fileMd5 parameter in the /a/file/upload endpoint of the web application framework.

Technical Detail

The flaw exists because the fileMd5 parameter in the file upload endpoint is not properly sanitized, allowing an authenticated attacker with file upload permissions to supply a crafted value that traverses outside the intended upload directory and writes arbitrary files to attacker-controlled paths on the server. By writing files to sensitive locations such as web-accessible directories or application configuration paths, an attacker could achieve remote code execution, for example by placing a web shell in a publicly accessible directory. Exploitation requires a valid authenticated session with file upload privileges, which reduces but does not eliminate risk in environments where such accounts are broadly provisioned or where credentials have been compromised.

Exploitation Status

No known exploit code has been publicly observed or confirmed as of May 7, 2026. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit at this time, though the attack pattern is well-understood and the technique is straightforward to implement given authenticated access.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence. Given the nature of the flaw and the prevalence of JeeSite in Chinese enterprise and government deployments, opportunistic actors targeting Java-based enterprise applications should be considered a plausible threat class, but this is not confirmed.

What To Do

Organizations running JeeSite v5.15.1 should monitor the vendor's official repository and release channels for a patched version and apply updates as soon as they become available. As an interim measure, restrict file upload permissions to the minimum necessary set of authenticated users and enforce network-level access controls on the /a/file/upload endpoint to limit exposure to trusted internal networks only. Detection efforts should focus on anomalous file creation events outside expected upload directories, particularly the creation of script files such as JSP, PHP, or shell scripts via the upload endpoint. Review web server and application logs for requests to /a/file/upload containing directory traversal sequences such as ../ or URL-encoded equivalents in the fileMd5 parameter. Given the CVSS score of 9.6, this should be treated as a high-priority remediation item even in the absence of confirmed active exploitation.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →