{"uuid": "329fc02f-a2bb-4c19-927e-26977291221b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50878", "type": "seen", "source": "https://gist.github.com/pyuysig/d4c2ace69162c82f1df197ce0f45d63f", "content": "# Vulnerability Report: CVE-2026-50878 - MailForm - Attachment temporary files are not cleaned up after multipart parsing\n\n## Vulnerability Summary\nFeuerhamster MailForm 1.1.0 contains a temporary file cleanup flaw in attachment handling for the /:target upload route. A remote attacker can repeatedly submit multipart/form-data requests with attachments to a reachable target, causing uploaded temporary files to persist on disk after request completion and leading to disk exhaustion and denial of service.\n\n## Affected Product\n- **Vendor**: Feuerhamster\n- **Product**: MailForm\n- **Version**: 1.1.0\n- **Vulnerable Component**: src/router.ts /:target route, Formidable parsing, src/services/email.ts attachment mapping and sendMail flow\n\n## Vulnerability Details\n- **Vulnerability Type**: Resource Management Error\n- **Weakness**: CWE-400\n- **Attack Conditions**: Remote repeated multipart/form-data requests with attachments to a reachable /:target route.\n\n## Report Body\n\n### Summary\nFeuerhamster MailForm 1.1.0 contains a temporary file cleanup flaw in attachment handling for the /:target upload route. A remote attacker can repeatedly submit multipart/form-data requests with attachments to a reachable target, causing uploaded temporary files to persist on disk after request completion and leading to disk exhaustion and denial of service.\n\n### Details\nThe route constructs a Formidable parser and parses multipart requests into temporary files. It then passes file.filepath values into Nodemailer attachment objects. The request path does not remove those temporary files after successful or failed request handling, so repeated uploads accumulate files on disk.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50878.\n3. Confirm the security result: Repeated attachment submissions leave temporary files present after request completion and increase disk usage until service availability is affected.\n\n### Impact\nRemote disk exhaustion and denial of service on deployments that accept attachment uploads.\n\n## Remediation\nDelete Formidable temporary files after email delivery or request failure, enforce upload size and count limits, and store attachment temporary files in a bounded cleanup-managed directory.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:46.000000Z"}