An arbitrary file upload vulnerability exists in the application, allowing an authenticated attacker to upload crafted files without proper validation of file type, content, or extension.

• Product: docuForm FSM Client
• Affected Versions: 11.11c
• Vulnerability Type: CWE-434: Unrestricted Upload of File with Dangerous Type
• Risk Level: Medium - CVSS 3.1: 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
• Vendor URL: www.docuform.de
• Vendor acknowledged vulnerability: Yes
• CVE: CVE-2025-65416

This vulnerability can let an attacker upload malicious files such as web shells or scripts, which may be executed by the server if placed in a web-accessible location. Depending on the application’s configuration and how uploaded files are handled, the impact may include remote code execution, defacement, data theft, privilege escalation, persistence, and complete takeover of the affected system.