Skip to main content

Yml For Yandex Market CVE-2026-32567

| EUVDEUVD-2026-15929 MEDIUM
Path Traversal (CWE-22)
2026-03-25 Patchstack
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
5.3.0
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15929
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
MEDIUM 6.8

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in icopydoc YML for Yandex Market yml-for-yandex-market allows Path Traversal.This issue affects YML for Yandex Market: from n/a through < 5.3.0.

AnalysisAI

YML for Yandex Market versions prior to 5.3.0 contain a path traversal vulnerability that allows high-privileged attackers to access files outside restricted directories without user interaction. This vulnerability could enable unauthorized disclosure of sensitive information across the system. Currently, no patch is available and exploitation appears unlikely in the wild.

Technical ContextAI

The vulnerability resides in the icopydoc YML for Yandex Market WordPress plugin (CPE: cpe:2.3:a:icopydoc:yml_for_yandex_market:*:*:*:*:*:*:*:*), a tool designed to generate Yandex Market product feed files in YML format. The root cause is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), which occurs when the plugin fails to properly validate and sanitize file path inputs. This allows an attacker to use path traversal sequences (such as ../ or absolute paths) to escape the intended directory boundary and access arbitrary files on the server's filesystem. The vulnerability likely exists in file handling or configuration loading routines that do not implement proper input validation.

RemediationAI

Immediately upgrade the YML for Yandex Market plugin to version 5.3.0 or later, which patches the path traversal vulnerability. This is the primary and recommended fix. Administrators should verify the update through the WordPress plugin repository or directly from the vendor. As an interim measure before patching is feasible, restrict administrative access to the plugin settings to only trusted users, implement Web Application Firewall (WAF) rules to detect and block path traversal patterns (../), and consider disabling the plugin if it is not actively in use. Review server access logs for suspicious file access patterns that may indicate exploitation attempts. Refer to the Patchstack security advisory for vendor guidance and any additional context on the vulnerability.

Share

CVE-2026-32567 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy