CVE-2026-53909: MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privilege
MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server.
Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-53909
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-539090.23% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 13% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-53909 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for MCO does not
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- mediumCVE-2026-53908: MCO is vulnerable to User Enumeration through authentication-related functionalities. The appl…nvd · 2026-07-01
- mediumCVE-2026-53907: MCO is vulnerable to Stored Cross‑Site Scripting (XSS) via the application logo upload functio…nvd · 2026-07-01
- highCVE-2026-53906: MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related…nvd · 2026-07-01
- highCVE-2026-53905: MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-v…nvd · 2026-07-01
- highCVE-2026-53904: MCO is vulnerable to Account Denial of Service due to improper implementation of password rese…nvd · 2026-07-01
- highCVE-2026-53903: MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer…nvd · 2026-07-01
More from NVD Recent CVEs
- mediumCVE-2026-15475: A weakness has been identified in MiniTool Partition Wizard up to 13.6. The affected element i…2026-07-12
- mediumCVE-2026-15474: A security flaw has been discovered in Eleveo Call Recording Software 9.7.0. Impacted is an un…2026-07-12
- mediumCVE-2026-15473: A vulnerability was identified in Eleveo Call Recording Software 9.7.0. This issue affects som…2026-07-12
- mediumCVE-2026-15472: A vulnerability was determined in Eleveo Call Recording Software 9.7.0. This vulnerability aff…2026-07-12
- mediumCVE-2026-15471: A vulnerability was found in Eleveo Call Recording Software 9.7.0. This affects an unknown par…2026-07-12