Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-2976— FastApiAdmin Download Endpoint controller.py download_controller information disclosure

CVSS 4.3 · Medium EPSS 0.04% · P12
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-2976

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
FastApiAdmin Download Endpoint controller.py download_controller information disclosure
Source: NVD (National Vulnerability Database)
Vulnerability Description
A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function download_controller of the file /backend/app/api/v1/module_common/file/controller.py of the component Download Endpoint. This manipulation of the argument file_path causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
FastAPI Admin 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
FastAPI Admin是FastAPI Admin开源的一个基于 FastAPI 和 TortoiseORM 的快速管理仪表板。 FastAPI Admin 2.2.0及之前版本存在访问控制错误漏洞,该漏洞源于对组件Download Endpoint中文件/backend/app/api/v1/module_common/file/controller.py的函数download_controller的参数file_path的错误操作,可能导致信息泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
-FastApiAdmin 2.0 -

II. Public POCs for CVE-2026-2976

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-2976

登录查看更多情报信息。

Same Patch Batch · n/a · 2026-02-23 · 24 CVEs total

CVE-2026-29786.3 MEDIUMFastApiAdmin Scheduled Task API controller.py upload_file_controller unrestricted upload
CVE-2026-29776.3 MEDIUMFastApiAdmin Scheduled Task API controller.py upload_controller unrestricted upload
CVE-2026-29796.3 MEDIUMFastApiAdmin Scheduled Task API controller.py user_avatar_upload_controller unrestricted u
CVE-2026-29755.3 MEDIUMFastApiAdmin Custom Documentation Endpoint init_app.py reset_api_docs information disclosu
CVE-2026-29742.5 LOWAliasVault App Backup aliasvault.xml backup
CVE-2026-29652.4 LOW07FLYCMS/07FLY-CMS/07FlyCRM System Extension edit.html cross site scripting
CVE-2025-71056GCOM EPON 1GE 安全漏洞
CVE-2025-70327TOTOLINK X5000R 安全漏洞
CVE-2025-70328TOTOLINK X6000R 安全漏洞
CVE-2025-70329TOTOLINK X5000R 安全漏洞
CVE-2025-63946Tencent PC Manager 安全漏洞
CVE-2025-63945Tencent iOA 安全漏洞
CVE-2025-61147Structure AG Libde265 安全漏洞
CVE-2025-61145LibTIFF 安全漏洞
CVE-2025-61146libsixel 安全漏洞
CVE-2025-61143LibTIFF 安全漏洞
CVE-2025-61144LibTIFF 安全漏洞
CVE-2026-26464Kashipara Society Management System Portal 安全漏洞
CVE-2025-70058Sean1025 YMFE YApi 安全漏洞
CVE-2025-70045jxm 安全漏洞

Showing top 20 of 24 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: FastApiAdmin
Same vendor: n/a
Same weakness: CWE-200

V. Comments for CVE-2026-2976

No comments yet

Leave a comment