CVE-2026-15518 PUBLISHED

AREA 17 Twill CMS Media Library Insert FileLibraryController.php storeFile unrestricted upload

Assigner: VulDB
Reserved: 12.07.2026 Published: 13.07.2026 Updated: 13.07.2026

A vulnerability has been found in AREA 17 Twill CMS up to 3.6.0. The impacted element is the function FileLibraryController::storeFile of the file src/Http/Controllers/Admin/FileLibraryController.php of the component Media Library Insert Page. Such manipulation of the argument qqfilename leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
CVSS Score: 5.1

Product Status

Vendor AREA 17
Product Twill CMS
Versions
  • Version 3.0 is affected
  • Version 3.1 is affected
  • Version 3.2 is affected
  • Version 3.3 is affected
  • Version 3.4 is affected
  • Version 3.5 is affected
  • Version 3.6.0 is affected

Credits

  • Jobyer Ahmed finder
  • suffer (VulDB User) reporter
  • VulDB CNA Team coordinator

References

Problem Types

  • Unrestricted Upload CWE
  • Improper Access Controls CWE