Arbitrary File Write via Path Traversal in Shopizer /content/images/add

Successful exploitation allows an attacker to write arbitrary files to any path writable by the Shopizer process. This can compromise integrity by overwriting or planting application files, configuration files, or web-accessible content; compromise confidentiality depending on follow-on access enabled by planted files; and affect availability by corrupting application state or critical files. Given the provided CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), the vulnerability is remotely exploitable with low complexity, requires no privileges or user interaction, and can have high impact across confidentiality, integrity, and availability.

If an official fix is not yet available, restrict or disable access to the /content/images/add endpoint, especially from untrusted networks. Place the application behind authentication or network filtering where possible. Run Shopizer with the least privileges necessary so the service account cannot write to sensitive filesystem locations. Constrain writable directories, harden filesystem permissions, and monitor for unexpected file creation or modification in application, webroot, and configuration paths. Web application firewall rules or reverse-proxy filtering may help block suspicious POST requests containing traversal patterns, though this is only a compensating control.

Upgrade to a Shopizer version that fixes CVE-2026-36767, if a vendor patch is available. The vulnerable /content/images/add endpoint should be corrected to canonicalize and strictly validate file paths, reject traversal sequences, and enforce writes only within a dedicated upload directory. Server-side controls should generate destination filenames rather than trusting client-supplied paths, and the application should verify the resolved canonical path remains within an allowlisted base directory before writing files.