Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-2979— FastApiAdmin Scheduled Task API controller.py user_avatar_upload_controller unrestricted upload

CVSS 6.3 · Medium EPSS 0.06% · P19
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-2979

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
FastApiAdmin Scheduled Task API controller.py user_avatar_upload_controller unrestricted upload
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function user_avatar_upload_controller of the file /backend/app/api/v1/module_system/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
危险类型文件的不加限制上传
Source: NVD (National Vulnerability Database)
Vulnerability Title
FastAPI Admin 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
FastAPI Admin是FastAPI Admin开源的一个基于 FastAPI 和 TortoiseORM 的快速管理仪表板。 FastAPI Admin 2.2.0及之前版本存在代码问题漏洞,该漏洞源于对文件/backend/app/api/v1/module_system/user/controller.py中函数user_avatar_upload_controller的操作不当,可能导致无限制上传。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
-FastApiAdmin 2.0 -

II. Public POCs for CVE-2026-2979

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-2979

登录查看更多情报信息。

Same Patch Batch · n/a · 2026-02-23 · 24 CVEs total

CVE-2026-29776.3 MEDIUMFastApiAdmin Scheduled Task API controller.py upload_controller unrestricted upload
CVE-2026-29786.3 MEDIUMFastApiAdmin Scheduled Task API controller.py upload_file_controller unrestricted upload
CVE-2026-29755.3 MEDIUMFastApiAdmin Custom Documentation Endpoint init_app.py reset_api_docs information disclosu
CVE-2026-29764.3 MEDIUMFastApiAdmin Download Endpoint controller.py download_controller information disclosure
CVE-2026-29742.5 LOWAliasVault App Backup aliasvault.xml backup
CVE-2026-29652.4 LOW07FLYCMS/07FLY-CMS/07FlyCRM System Extension edit.html cross site scripting
CVE-2025-71056GCOM EPON 1GE 安全漏洞
CVE-2025-70327TOTOLINK X5000R 安全漏洞
CVE-2025-70328TOTOLINK X6000R 安全漏洞
CVE-2025-70329TOTOLINK X5000R 安全漏洞
CVE-2025-63946Tencent PC Manager 安全漏洞
CVE-2025-63945Tencent iOA 安全漏洞
CVE-2025-61147Structure AG Libde265 安全漏洞
CVE-2025-61145LibTIFF 安全漏洞
CVE-2025-61146libsixel 安全漏洞
CVE-2025-61143LibTIFF 安全漏洞
CVE-2025-61144LibTIFF 安全漏洞
CVE-2026-26464Kashipara Society Management System Portal 安全漏洞
CVE-2025-70058Sean1025 YMFE YApi 安全漏洞
CVE-2025-70045jxm 安全漏洞

Showing top 20 of 24 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: FastApiAdmin
Same vendor: n/a
Same weakness: CWE-434

V. Comments for CVE-2026-2979

No comments yet

Leave a comment