CVE-2026-2979
HIGH WAF: Medium
CVSS 8.8
Published: 2026-02-23
CWE-434
A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function user_avatar_upload_controller of the file /backend/app/api/v1/module_system/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used.
WAF Coverage Analysis
Unrestricted File Upload
Medium WAF Coverage
OWASP: A04:2021 Insecure Design
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| fastapiadmin | fastapiadmin | up to 2.2.0 |
References
- github.com (Exploit, Third Party Advisory)
- vuldb.com (Permissions Required)
- vuldb.com (Third Party Advisory)
- vuldb.com (Third Party Advisory)