CVE-2026-53909
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
MCO does not correctly validate uploaded file types, relying solely on client-side checks that can be bypassed. An authenticated, low-privileged attacker can upload arbitrary file types to the server. The vulnerability is confirmed in version 25.3.3.1 but may affect other versions.
Risk Assessment
An attacker can upload malicious files (e.g., scripts, executables) to the server, potentially leading to remote code execution, privilege escalation, or further system compromise.
Recommendation
Implement server-side file type validation immediately and restrict allowed file extensions. Apply a patch if available; otherwise, consider temporarily disabling the file upload feature.
Original NVD description (English source)
MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.

