MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server.
Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
References
| Link | Resource |
|---|---|
| https://cert.pl/en/posts/2026/07/CVE-2026-53902 | Third Party Advisory |
| https://mco.mycomplianceoffice.com/ | Product |
Configurations
History
06 Jul 2026, 13:47
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:mycomplianceoffice:mycomplianceoffice:25.3.3.1:*:*:*:*:*:*:* | |
| First Time |
Mycomplianceoffice mycomplianceoffice
Mycomplianceoffice |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| References | () https://cert.pl/en/posts/2026/07/CVE-2026-53902 - Third Party Advisory | |
| References | () https://mco.mycomplianceoffice.com/ - Product |
01 Jul 2026, 13:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-01 13:17
Updated : 2026-07-06 13:47
NVD link : CVE-2026-53909
Mitre link : CVE-2026-53909
CVE.ORG link : CVE-2026-53909
JSON object : View
Products Affected
mycomplianceoffice
- mycomplianceoffice
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type
