Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-enkd-4y44-4ueq
Vulnerability ID VCID-enkd-4y44-4ueq
Aliases CVE-2020-26138
GHSA-7mv4-4xpg-xq44
Summary FormField with square brackets in field name skips validation FileField with array notation skips validation The FileField class is commonly used for file upload in custom code on a Silverstripe website. This field is designed to be used with a single file upload. PHP allows for submitting multiple values by adding square brackets to the field name. When this is done to a FileField, it will be coerced into allowing multiple files by using this notation. This is not a supported feature, though nothing is done to prevent this. In this scenario, validation such as limiting allowed extensions is not applied, and the FileField->saveInto() behaviour is not triggered. If custom controller logic is used to process the file uploads, it might implicitly rely on validation to be provided by the Form system, which is not the case.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-20 Improper Input Validation
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00292 https://api.first.org/data/v1/epss?cve=CVE-2020-26138
epss 0.00292 https://api.first.org/data/v1/epss?cve=CVE-2020-26138
epss 0.00292 https://api.first.org/data/v1/epss?cve=CVE-2020-26138
epss 0.00292 https://api.first.org/data/v1/epss?cve=CVE-2020-26138
epss 0.00292 https://api.first.org/data/v1/epss?cve=CVE-2020-26138
epss 0.00292 https://api.first.org/data/v1/epss?cve=CVE-2020-26138
epss 0.00292 https://api.first.org/data/v1/epss?cve=CVE-2020-26138
epss 0.00292 https://api.first.org/data/v1/epss?cve=CVE-2020-26138
epss 0.00292 https://api.first.org/data/v1/epss?cve=CVE-2020-26138
epss 0.00292 https://api.first.org/data/v1/epss?cve=CVE-2020-26138
epss 0.00292 https://api.first.org/data/v1/epss?cve=CVE-2020-26138
epss 0.00292 https://api.first.org/data/v1/epss?cve=CVE-2020-26138
epss 0.00292 https://api.first.org/data/v1/epss?cve=CVE-2020-26138
epss 0.00292 https://api.first.org/data/v1/epss?cve=CVE-2020-26138
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-7mv4-4xpg-xq44
cvssv3.1 5.3 https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2020-26138.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2020-26138.yaml
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2020-26138
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2020-26138
cvssv3.1 5.3 https://www.silverstripe.org/download/security-releases/cve-2020-26138
generic_textual MODERATE https://www.silverstripe.org/download/security-releases/cve-2020-26138
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2020-26138
https://forum.silverstripe.org/c/releases
https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2020-26138.yaml
https://nvd.nist.gov/vuln/detail/CVE-2020-26138
https://www.silverstripe.org/blog/tag/release
https://www.silverstripe.org/download/security-releases/
https://www.silverstripe.org/download/security-releases/cve-2020-26138
CVE-2020-26138 https://www.silverstripe.org/download/security-releases/cve-2020-26138/
GHSA-7mv4-4xpg-xq44 https://github.com/advisories/GHSA-7mv4-4xpg-xq44
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2020-26138.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-26138
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://www.silverstripe.org/download/security-releases/cve-2020-26138
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.52493
EPSS Score 0.00292
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:06:48.190675+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-7mv4-4xpg-xq44/GHSA-7mv4-4xpg-xq44.json 38.0.0