Skip to main content

Scape CVE-2026-31913

| EUVDEUVD-2026-15813 HIGH
Path Traversal (CWE-22)
2026-03-25 Patchstack GHSA-mqc7-5qj8-5f3j
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:14 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.5.16
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15813
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 8.6

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.This issue affects Scape: from n/a through < 1.5.16.

AnalysisAI

Whitebox-Studio Scape versions prior to 1.5.16 contain a path traversal vulnerability allowing unauthenticated remote attackers to cause denial of service by accessing restricted directories and exhausting system resources. The vulnerability requires no user interaction and can be exploited over the network with low complexity, affecting the availability of affected systems. No patch is currently available.

Technical ContextAI

The vulnerability is rooted in improper input validation and pathname sanitization in the Scape WordPress theme (CPE: cpe:2.3:a:whitebox-studio:scape:*:*:*:*:*:*:*:*). This is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) vulnerability where user-supplied input containing path traversal sequences (such as ../ or similar directory escape patterns) is not adequately filtered before being used in file system operations. WordPress themes that handle file uploads, downloads, or asset serving are particularly vulnerable if they construct file paths using unsanitized user input without implementing proper canonicalization or allowlist validation.

RemediationAI

Immediately upgrade Whitebox-Studio Scape to version 1.5.16 or later, which addresses the path traversal vulnerability. This can typically be done through the WordPress theme update interface. Until patching is possible, implement strict input validation on any user-supplied parameters that influence file operations, restrict file system permissions on the web server to the minimum necessary scope, and consider implementing a Web Application Firewall (WAF) rule to detect and block common path traversal patterns (../, ..\, encoded variants, etc.). Additionally, ensure that the wp-content/uploads directory and other sensitive directories are not directly web-accessible for execution, and monitor file access logs for suspicious traversal attempts. The patch information and technical details are available in the Patchstack advisory referenced above.

Share

CVE-2026-31913 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy