CVE Catalog

CVE-2026-53909

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

MCO does not correctly validate uploaded file types, relying solely on client-side checks that can be bypassed. An authenticated, low-privileged attacker can upload arbitrary file types to the server. The vulnerability is confirmed in version 25.3.3.1 but may affect other versions.

Risk Assessment

An attacker can upload malicious files (e.g., scripts, executables) to the server, potentially leading to remote code execution, privilege escalation, or further system compromise.

Recommendation

Implement server-side file type validation immediately and restrict allowed file extensions. Apply a patch if available; otherwise, consider temporarily disabling the file upload feature.

Original NVD description (English source)

MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS