Arbitrary File Upload Affecting notrinos/notrinos-erp package, versions >=0.0.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary File Upload vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PHP-NOTRINOSNOTRINOSERP-17950713
  • published11 Jul 2026
  • disclosed10 Jul 2026
  • creditUnknown

Introduced: 10 Jul 2026

New CVE NOT AVAILABLE CWE-22  (opens in a new tab)
CWE-434  (opens in a new tab)

How to fix?

There is no fixed version for notrinos/notrinos-erp.

Overview

notrinos/notrinos-erp is a web-based enterprise management system that is written in PHP and MySql. NotrinosERP contains all the required modules for running any small to medium size businesses. It supports multi users, multi currencies, multi languages.

Affected versions of this package are vulnerable to Arbitrary File Upload via the tab_documents process. An attacker can execute arbitrary code on the server by uploading a crafted file with a dangerous extension, such as .php, which is then stored in a web-accessible directory without validation. This allows the attacker to access the uploaded file directly and trigger code execution. This is only exploitable if the attacker has an authenticated session with the required permissions and a valid CSRF token.

References

CVSS Base Scores

version 4.0
version 3.1