Arbitrary file upload in 9front

CVE-2026-9053

Mothra would respect a default value given by a website for HTML file upload forms. An attacker could craft a website with a malicious default file path, and then conceal this form element.

Vulnerability class: Unrestricted File Upload

EPSS: 0.001 (17.6th percentile) — read the EPSS interpretation.

Affected products

9front — versions f04e113279274526a8dae34de373027b68921fbf

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

References

1d66c9f9-fff2-411a-aa19-ca6312fa25e9 (mitigation)