Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-36767 -- CVSS 10.0 Vulnerability Briefing

CVE-2026-36767 | CVSS 10.0 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-36767 is a path traversal vulnerability in the /content/images/add endpoint of Shopizer v3.2.5, an open-source Java-based e-commerce platform, allowing unauthenticated or authenticated attackers to write arbitrary files to any writable location on the underlying server.

Technical Detail

The flaw exists because the /content/images/add endpoint fails to properly sanitize or restrict file path input supplied in a crafted POST request, permitting directory traversal sequences to escape the intended upload directory. An attacker can exploit this by submitting a POST request with a manipulated filename or path parameter that resolves to an arbitrary location on the filesystem, such as web-accessible directories or system configuration paths. Successful exploitation can result in remote code execution if an attacker writes a malicious script to an executable location, or in persistent compromise through overwriting configuration files or planting backdoors.

Exploitation Status

No known exploit code has been publicly observed or confirmed as of May 7, 2026. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Despite the absence of confirmed exploitation, the critical CVSS score of 10.0 and the straightforward nature of path traversal attacks mean the barrier to exploitation is low for any attacker with access to the endpoint.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been linked to this vulnerability. Given that Shopizer is an e-commerce platform, organizations in the retail and online commerce sectors should treat this as a relevant exposure, but no confirmed targeting has been observed.

What To Do

Organizations running Shopizer v3.2.5 should treat this as a priority patch given the critical severity rating and the potential for remote code execution. Check the Shopizer project repository and release notes for a patched version and apply it immediately. If a patch is not yet available, restrict access to the /content/images/add endpoint at the network or application layer, limiting it to trusted IP ranges or authenticated administrative users only. Implement server-side input validation to reject path traversal sequences such as ../ in filename parameters. Monitor web server logs for POST requests to the affected endpoint containing traversal patterns, and audit the filesystem for unexpected files in directories outside the designated upload path.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →