216.73.216.75

CVE-2026-34735

· Published 02/04/2026 19:21 · Modified 03/04/2026 16:10

Labels: CVE-2026-34735 2026-04-02CVE-2026-34735CWE-434[email protected]

Essential information

Published
02/04/2026 19:21
Modified
03/04/2026 16:10
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. In version 1.2.0 and prior, the quickUpload() endpoint validates uploaded files by checking their MIME type (via PHP's finfo, which inspects file contents) but constructs the stored filename using the client-supplied file extension from getClientOriginalExtension(). These two checks are independent: an attacker can upload a file whose content passes the MIME allowlist while using a .php extension. The file is stored on the public disk and is directly accessible via URL, allowing server-side code execution. At time of publication no known patches exist.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
hytale / hytale cpe:2.3:a:hytale:hytale:*:*:*:*:*:*:*:*

References