CVE-2026-5027
HIGH
NVD
CVSS Score
8.8
Severity
HIGH
Published
Mar 27, 2026
Vendor
unknown
Description
The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').