CVE-2026-40521
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk46th percentile - higher than 46% of all known CVEs
Summary
A path traversal vulnerability in FrontAccounting before version 2.4.20 allows authenticated attackers to achieve remote code execution by uploading files with traversal sequences in the unique_name parameter. Attackers can write a PHP file outside the attachments directory into the web root, leading to arbitrary code execution.
Risk Assessment
The risk for the organization includes full compromise of the web server, potentially leading to data theft, content modification, or further attacks on the infrastructure.
Recommendation
Immediately upgrade FrontAccounting to version 2.4.20 or later, which includes a fix for the path traversal vulnerability.
Original NVD description (English source)
FrontAccounting before 2.4.20 contains a path traversal vulnerability in the attachment upload handler that allows authenticated attackers to execute arbitrary code by uploading files with traversal sequences in the unique_name parameter. Attackers can supply path traversal sequences ../../../shell.php to write files outside the intended attachments directory into the web root, and by uploading PHP files without extension validation, achieve remote code execution as the web server user.

