{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6105", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-11T07:14:44.771Z", "datePublished": "2026-04-11T22:00:24.856Z", "dateUpdated": "2026-04-13T17:41:44.218Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-11T22:00:24.856Z"}, "title": "perfree go-fastdfs-web doInstall InstallController.java improper authorization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-285", "lang": "en", "description": "Improper Authorization"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-266", "lang": "en", "description": "Incorrect Privilege Assignment"}]}], "affected": [{"vendor": "perfree", "product": "go-fastdfs-web", "versions": [{"version": "1.3.0", "status": "affected"}, {"version": "1.3.1", "status": "affected"}, {"version": "1.3.2", "status": "affected"}, {"version": "1.3.3", "status": "affected"}, {"version": "1.3.4", "status": "affected"}, {"version": "1.3.5", "status": "affected"}, {"version": "1.3.6", "status": "affected"}, {"version": "1.3.7", "status": "affected"}], "modules": ["doInstall Interface"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-11T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-11T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-11T09:19:50.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "yingxiujie (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/356964", "name": "VDB-356964 | perfree go-fastdfs-web doInstall InstallController.java improper authorization", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/356964/cti", "name": "VDB-356964 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781598", "name": "Submit #781598 | perfree go-fastdfs-web v1.3.7 Unauthorized takeover of the platform Vulnerability", "tags": ["third-party-advisory"]}, {"url": "https://gitee.com/ying-xiujie/cve/issues/IGB6M9", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T17:41:35.538403Z", "id": "CVE-2026-6105", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:41:44.218Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6105", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T17:41:35.538403Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:41:40.501Z"}}], "cna": {"title": "perfree go-fastdfs-web doInstall InstallController.java improper authorization", "credits": [{"lang": "en", "type": "reporter", "value": "yingxiujie (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "perfree", "modules": ["doInstall Interface"], "product": "go-fastdfs-web", "versions": [{"status": "affected", "version": "1.3.0"}, {"status": "affected", "version": "1.3.1"}, {"status": "affected", "version": "1.3.2"}, {"status": "affected", "version": "1.3.3"}, {"status": "affected", "version": "1.3.4"}, {"status": "affected", "version": "1.3.5"}, {"status": "affected", "version": "1.3.6"}, {"status": "affected", "version": "1.3.7"}]}], "timeline": [{"lang": "en", "time": "2026-04-11T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-11T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-11T09:19:50.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/356964", "name": "VDB-356964 | perfree go-fastdfs-web doInstall InstallController.java improper authorization", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/356964/cti", "name": "VDB-356964 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781598", "name": "Submit #781598 | perfree go-fastdfs-web v1.3.7 Unauthorized takeover of the platform Vulnerability", "tags": ["third-party-advisory"]}, {"url": "https://gitee.com/ying-xiujie/cve/issues/IGB6M9", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "Improper Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "Incorrect Privilege Assignment"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-11T22:00:24.856Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6105", "state": "PUBLISHED", "dateUpdated": "2026-04-13T17:41:44.218Z", "dateReserved": "2026-04-11T07:14:44.771Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-11T22:00:24.856Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6105", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-11T22:16:01.417", "references": [{"source": "cna@vuldb.com", "url": "https://gitee.com/ying-xiujie/cve/issues/IGB6M9"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/781598"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356964"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356964/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-285"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.3.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.3.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.3.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.3.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.3.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.3.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.3.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.3.7"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "go-fastdfs-web", "source": "cna", "vendor": "perfree"}, "product": "go-fastdfs-web", "vendor": "perfree"}], "analysis": {"en": {"generated_at": "2026-04-11T23:50:36.058795+00:00", "value": {"mitigation_remediation": ["Apply any vendor\u2011proposed patch or upgrade to a non\u2011vulnerable release of go-fastdfs-web.", "Confirm that the InstallController enforces proper authorization checks before performing privileged actions.", "If a patch is unavailable, isolate the affected service, limit network exposure to the InstallController endpoint, and monitor for suspicious activity.", "Contact the vendor for official guidance and stay alert for future advisories."], "summary": {"action": "Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerable product is perfree:go-fastdfs-web, specifically every release up to version 1.3.7. The flaw is located in src/main/java/com/perfree/controller/InstallController.java within the doInstall interface, and no later versions have been documented as affected.", "description_and_impact": "An improper authorization flaw exists in the InstallController component of perfree\u2019s go-fastdfs-web, affecting versions up to 1.3.7. The bug allows an attacker to bypass access controls, potentially executing privileged operations or accessing sensitive data without proper authentication. This weakness aligns with common vulnerability identifiers CWE\u2011266 and CWE\u2011285, which represent inadequate permission enforcement and unauthorized privilege escalation.", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity, and the vulnerability is not listed in the KEV catalog. No EPSS data are available, but the description states the exploit has been publicly disclosed and may be used. It is inferred that the attack vector is remote, allowing external actors to trigger the vulnerability by accessing the InstallController endpoint. Given these factors, the risk remains moderate to high until a vendor patch or equivalent mitigation is applied."}}}}, "created": "2026-04-13T12:41:48.996387+00:00", "updated": "2026-04-13T12:56:31.648076+00:00", "vendors": ["perfree", "perfree$PRODUCT$go-fastdfs-web"]}