Skip to main content

Pitchprint CVE-2026-22448

| EUVDEUVD-2026-15486 HIGH
Path Traversal (CWE-22)
2026-03-25 Patchstack GHSA-6j9x-qfg8-f96r
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15486
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.5

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in flexcubed PitchPrint pitchprint allows Path Traversal.This issue affects PitchPrint: from n/a through <= 11.1.2.

AnalysisAI

A path traversal vulnerability exists in flexcubed PitchPrint plugin through version 11.1.2, allowing attackers to access files outside of restricted directories. The vulnerability affects the PitchPrint WordPress plugin and enables unauthorized file access through improper pathname validation. No CVSS score or EPSS data is currently available, but the CWE-22 classification and Patchstack reporting indicate this is a genuine path traversal issue requiring immediate attention.

Technical ContextAI

The vulnerability is rooted in CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a common weakness in web applications that fail to properly validate and sanitize user-supplied file path inputs. The affected product is flexcubed PitchPrint (CPE: cpe:2.3:a:flexcubed:pitchprint:*:*:*:*:*:*:*:*), a WordPress plugin used for design customization. The path traversal flaw likely occurs in file handling or template processing logic where directory traversal sequences (e.g., '../') are not adequately filtered, allowing attackers to escape the intended application directory and access arbitrary files on the server filesystem. This is a classic input validation vulnerability where user-controlled file path parameters are not sufficiently restricted to their intended base directory.

RemediationAI

Immediately upgrade the PitchPrint plugin to a version higher than 11.1.2 (consult the Patchstack advisory and official flexcubed release notes for the patched version). Until a patch is available or can be deployed, implement the following interim controls: restrict file upload and processing functionality at the web server or WAF level, apply strict input validation and sanitization rules that reject any path traversal sequences (../, ..\ ), enforce principle of least privilege on the web server process to limit file system access, and monitor file system access logs for suspicious path traversal attempts. Additionally, consider temporarily disabling the PitchPrint plugin if the risk cannot be otherwise mitigated pending patch availability.

Share

CVE-2026-22448 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy