Terrapack File Upload Vulnerability Allowing Arbitrary Code Execution

Vulnerability

A file upload vulnerability has been identified in the Terrapack software by ASTER TEC / ASTER S.p.A. This vulnerability is present in the following components and versions: Terrapack TkWebCoreNG (1.0.20200914), Terrapack TKServerCGI (2.5.4.150), and Terrapack TpkWebGIS Client (1.0.0). The issue arises because the 'TkWebCoreNG/InputOutputFile.php' page lacks proper server-side validation, allowing users to upload malicious files. These files are then moved to the 'TkRepository' folder, where, if accessed, could lead to remote code execution.

Impact

Exploitation of this vulnerability could result in unauthorized remote code execution on the server.

Added: Mar 20, 2026, 4:23 PM

Updated: Mar 20, 2026, 4:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.7

remediation

0.0

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.7

remediation

0.0

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Terrapack File Upload Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating