FrontAccounting before 2.4.20 contains a path traversal vulnerability in the attachment upload handler that allows authenticated attackers to execute arbitrary code by uploading files with traversal sequences in the unique_name parameter. Attackers can supply path traversal sequences ../../../shell.php to write files outside the intended attachments directory into the web root, and by uploading PHP files without extension validation, achieve remote code execution as the web server user.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40521.json",
"cwe_ids": [
"CWE-22"
],
"unresolved_ranges": [
{
"extracted_events": [
{
"fixed": "2.4.20"
}
],
"source": "AFFECTED_FIELD"
},
{
"extracted_events": [
{
"fixed": "2.4.20"
}
],
"source": "CPE_FIELD"
},
{
"extracted_events": [
{
"fixed": "2.4.20"
}
],
"source": "DESCRIPTION"
}
],
"cna_assigner": "VulnCheck"
}