Which versions of Sanster IOPaint are affected by CVE-2026-5258?

IOPaint version 1.5.3 contains a critical path traversal vulnerability in its file manager that allows unauthenticated attackers to read, write, or delete arbitrary files on affected systems over the…

Is there a public PoC exploit available for CVE-2026-5258?

Yes, a public proof-of-concept exploit is available for CVE-2026-5258. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-5258?

Within 24 hours: Identify all IOPaint instances running version 1.5.3 in your environment and isolate them from untrusted networks. Within 7 days: Contact Sanster for patch availability status and interim guidance; evaluate alternative file management solutions or temporary network segmentation. Within 30 days: Either deploy a patched version of IOPaint when available, migrate to a supported alternative with equivalent functionality, or implement compensating network controls (WAF rules, IP allowlisting) if operational continuity requires IOPaint 1.5.3 to remain in use.

Sanster IOPaint CVE-2026-5258

Q: What is the CVSS score of CVE-2026-5258?

CVE-2026-5258 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-17821 MEDIUM

Path Traversal (CWE-22)

2026-04-01 VulDB

GHSA-qw2j-qjh4-32jw

Path Traversal

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 01, 2026 - 14:23 vuln.today

Public exploit code

EUVD ID Assigned

Apr 01, 2026 - 07:00 euvd

EUVD-2026-17821

Analysis Generated

Apr 01, 2026 - 07:00 vuln.today

CVE Published

Apr 01, 2026 - 06:45 nvd

MEDIUM 6.9

DescriptionNVD

A vulnerability was found in Sanster IOPaint 1.5.3. Impacted is the function _get_file of the file iopaint/file_manager/file_manager.py of the component File Manager. Performing a manipulation of the argument filename results in path traversal. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Path traversal in Sanster IOPaint 1.5.3 File Manager allows unauthenticated remote attackers to read, write, or delete arbitrary files via manipulated filename parameters in the _get_file function. EPSS data unavailable, but publicly available exploit code exists. …

RemediationAI

Within 24 hours: Identify all IOPaint instances running version 1.5.3 in your environment and isolate them from untrusted networks. Within 7 days: Contact Sanster for patch availability status and interim guidance; evaluate alternative file management solutions or temporary network segmentation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-5258 vulnerability details – vuln.today

Back

Sanster IOPaint CVE-2026-5258

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Sanster IOPaint CVE-2026-5258

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code