CVE-2026-32989

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-32989
Precurio Intranet Portal 4.4 contains a cross-site request forgery vulnerability that allows attackers to induce authenticated users to submit crafted requests to a profile update endpoint handling file uploads. Attackers can exploit this to upload executable files to web-accessible locations, leading to arbitrary code execution in the context of the web server.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.packetstorm.news/files/id/215644/ Exploit Issue Tracking
https://www.precurio.com Product
Configurations

Configuration 1 (hide)

cpe:2.3:a:precurio:intranet_portal:4.4:*:*:*:*:*:*:*
History

16 Apr 2026, 14:35

Type Values Removed Values Added
CPE cpe:2.3:a:precurio:intranet_portal:4.4:*:*:*:*:*:*:*
First Time Precurio intranet Portal
Precurio
References () https://www.packetstorm.news/files/id/215644/ - () https://www.packetstorm.news/files/id/215644/ - Exploit, Issue Tracking
References () https://www.precurio.com - () https://www.precurio.com - Product

01 Apr 2026, 15:23

Type Values Removed Values Added
CWE CWE-352
CWE-434
Summary
  • (es) Precurio Intranet Portal 4.4 contiene una vulnerabilidad de falsificación de petición en sitios cruzados que permite a los atacantes inducir a usuarios autenticados a enviar peticiones manipuladas a un punto final de actualización de perfil que gestiona la carga de archivos. Los atacantes pueden explotar esto para cargar archivos ejecutables en ubicaciones accesibles desde la web, lo que lleva a la ejecución de código arbitrario en el contexto del servidor web.

20 Mar 2026, 18:16

Type Values Removed Values Added
Summary (en) Precurio Intranet Portal 4.4 contains a cross-site request forgery (CSRF) weakness that can allow an attacker to induce an authenticated user to submit a crafted request to a profile update endpoint that handles file uploads. If the application stores attacker-controlled content as an executable server-side file (e.g., in a web-accessible location with an executable extension), this can lead to arbitrary code execution in the context of the web server. (en) Precurio Intranet Portal 4.4 contains a cross-site request forgery vulnerability that allows attackers to induce authenticated users to submit crafted requests to a profile update endpoint handling file uploads. Attackers can exploit this to upload executable files to web-accessible locations, leading to arbitrary code execution in the context of the web server.

20 Mar 2026, 16:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-20 16:16

Updated : 2026-04-16 14:35

NVD link : CVE-2026-32989

Mitre link : CVE-2026-32989

CVE.ORG link : CVE-2026-32989

JSON object : View

Products Affected

precurio

  • intranet_portal
CWE
CWE-352

Cross-Site Request Forgery (CSRF)

CWE-434

Unrestricted Upload of File with Dangerous Type