SB20260629112 - Arbitrary file upload in REDAXO

Description

This security bulletin contains information about 1 vulnerability.

1) Arbitrary file upload (CVE-ID: CVE-2026-53599)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to unrestricted upload of file with dangerous type in rex_mediapool::isAllowedExtension and rex_mediapool::filename() when processing uploaded filenames with a blocked extension in a non-terminal segment of a multi-extension chain. A remote user can upload a specially crafted JPEG/PHP polyglot and request it from the public media/ directory to execute arbitrary code.

Exploitation requires backend media upload permission and an Apache PHP handler configuration that matches .php as any segment of the filename.

Remediation

Install update from vendor's website.

References

• https://github.com/redaxo/core/security/advisories/GHSA-98pp-vccm-qm25
• https://github.com/redaxo/core/commit/9d008697dcec6bf5a972bdc081fadb68e9dab7fa