CVE-2026-34027 | The Wertheim SafeController Software, AssemblyVersion 6.15.8… | CVSS 5.3 MEDIUM

Description

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains insufficient server-side file type validation in the /safe/contract/uploadcustomdocuments endpoint. The application validates uploaded files based on the user-controlled HTTP Content-Type value and accepts the upload if this value contains an allowed string such as pdf, jpeg, tiff, or png. An authenticated attacker with any role or permission level can spoof the Content-Type value and upload arbitrary file content.

Metadata

CVE ID: CVE-2026-34027
State: PUBLISHED
Assigner: SEC-VLab
Reserved: 2026-03-25 10:46 UTC
Published: 2026-06-15 10:04 UTC
Last updated: 2026-06-15 12:31 UTC
Primary CWE: CWE-434
CWE-434 Unrestricted upload of file with dangerous type
Vendor / Product: Wertheim GmbH / Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Wertheim GmbH	Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)	—	Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014

Weakness (CWE)

CWE	Source	Description
CWE-434	cna	CWE-434 Unrestricted upload of file with dangerous type

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References (2)