Unrestricted File Upload via uploadLogo in IQSS Dataverse Theme Customization <6.10
CVE-2026-1879 Published on April 1, 2026
Harvard University IQSS Dataverse Theme Customization ThemeAndWidgets.xhtml unrestricted upload
A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. This affects an unknown function of the file /ThemeAndWidgets.xhtml of the component Theme Customization. Performing a manipulation of the argument uploadLogo results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. Upgrading to version 6.10 mitigates this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Timeline
Advisory disclosed
VulDB entry created
VulDB entry last update
Weakness Types
What is an Unrestricted File Upload Vulnerability?
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
CVE-2026-1879 has been classified to as an Unrestricted File Upload vulnerability or weakness.
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2026-1879 has been classified to as an Authorization vulnerability or weakness.
Affected Versions
Harvard University IQSS Dataverse:- Version 6.0 is affected.
- Version 6.1 is affected.
- Version 6.2 is affected.
- Version 6.3 is affected.
- Version 6.4 is affected.
- Version 6.5 is affected.
- Version 6.6 is affected.
- Version 6.7 is affected.
- Version 6.8 is affected.
- Version 6.10 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.