CVE-2026-23704 — A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable — CVE Database · The Intelligence Room