๐Ÿ” CVE Alert

CVE-2025-34336

UNKNOWN 0.0

eGovFramework <= 4.3.1 Unauthenticated File Upload via Web Editor Image Upload Endpoints

CVSS Score
0.0
EPSS Score
0.5%
EPSS Percentile
40th

eGovFramework/egovframe-common-components versions up to and including 4.3.1 contain an unauthenticated file upload vulnerability via the /utl/wed/insertImage.do and /utl/wed/insertImageCk.do image upload endpoints. These controllers accept multipart requests without authentication, pass the uploaded content to a shared upload helper, and store the file on the server under a framework-controlled path. The framework then returns a download URL that can be used to retrieve the uploaded content, including an attacker-controlled Content-Type within the limits of the image upload functionality. While a filename extension whitelist is enforced, the attacker fully controls the file contents. The response MIME type used is also attacker-controlled when the file is served up to version < 4.1.2. Since version 4.1.2, it is possible to download any image uploaded with any whitelisted content type. But any file uploaded other than an image will be served with the `application/octet-stream` content type (the content type is no longer controlled by the attacker since version 4.1.2). This enables an unauthenticated attacker to use any affected application as a persistent file hosting service for arbitrary content under the application's origin. KISA/KrCERT has identified this unpatched vulnerability as "KVE-2023-5280."

CWE CWE-434
Vendor egovframework/egovframe-common-components
Product egovframework/egovframe-common-components
Published Nov 19, 2025
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for egovframework/egovframe-common-components egovframework/egovframe-common-components

Be the first to know when new unknown vulnerabilities affecting egovframework/egovframe-common-components egovframework/egovframe-common-components are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

eGovFramework/egovframe-common-components / eGovFramework/egovframe-common-components
0 โ‰ค 4.3.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
egovframe.go.kr: https://www.egovframe.go.kr/eng/sub.do?menuNo=2 github.com: https://github.com/eGovFramework/egovframe-common-components pierrekim.github.io: https://pierrekim.github.io/blog/2025-11-20-egovframe-2-vulnerabilities.html pierrekim.github.io: https://pierrekim.github.io/advisories/2025-egovframe.txt vulncheck.com: https://www.vulncheck.com/advisories/egovframework-unauthenticated-file-upload-via-web-editor-image-upload-endpoints

Credits

Pierre Barre