Skip to main content

nexent CVE-2026-31215

| EUVD-2026-29499 CRITICAL
Files or Directories Accessible to External Parties (CWE-552)
2026-05-12 mitre GHSA-wm59-m58r-x983
Denial Of Service Information Disclosure Path Traversal Elastic
9.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 15:54 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
9.1 (CRITICAL)
CVE Published
May 12, 2026 - 00:00 nvd
CRITICAL 9.1
CVE Published
May 12, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionNVD

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied path_or_url parameter. This allows unauthenticated remote attackers to send crafted requests that trigger the deletion of arbitrary documents from ElasticSearch indices and corresponding files from the MinIO storage system. Successful exploitation leads to data destruction and denial of service.

AnalysisAI

{index_name}/documents endpoint. The backend service fails to authenticate requests or validate the path_or_url parameter, enabling mass data destruction and denial of service. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

{index_name}/documents requests from untrusted networks. Within 30 days: Contact Nexent for patched version availability; if unavailable, evaluate migration to a patched alternative or implement API gateway authentication enforcement upstream of Nexent.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-46556 MEDIUM
6.5 May 21

Blind Server-Side Request Forgery in FlaskBB's avatar URL handling allows any authenticated user to force the server to

CVE-2026-33464 MEDIUM
6.5 May 28

Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for a
CVE-2026-33463 MEDIUM
5.3 May 28

Expired access tokens in Kibana remain exploitable due to a logic error in expiration timestamp validation (CWE-672), al
CVE-2026-33462 MEDIUM
4.6 May 28

Dashboard management path traversal in Elastic Kibana allows a low-privileged authenticated attacker to redirect adminis
CVE-2026-42401 MEDIUM
4.1 May 28

Stored HTML injection in Kibana allows a low-privileged authenticated user with write access to an Elasticsearch index t

Share

CVE-2026-31215 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy