Skip to main content

MicroRealEstate CVE-2026-57871

| EUVDEUVD-2026-42008 HIGH
Relative Path Traversal (CWE-23)
2026-07-07 vdp@themissinglink.com.au GHSA-56qr-p95w-94vh
7.1
CVSS 4.0 · Vendor: themissinglink
Share

Severity by source

Vendor (themissinglink) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Network-reachable upload feature (AV:N/AC:L) requires a low-privilege account (PR:L) and no interaction; arbitrary file overwrite yields low integrity and high availability impact with no confidentiality loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (themissinglink).

CVSS VectorVendor: themissinglink

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVE Published
Jul 07, 2026 - 06:38 cve.org
HIGH 7.1
Analysis Generated
Jul 07, 2026 - 06:37 vuln.today

DescriptionCVE.org

Relative path traversal vulnerability in MicroRealEstate file upload functionality allows attackers to potentially overwrite system files.

This issue affects MicroRealEstate: through 1.0.0-alpha3.

AnalysisAI

Relative path traversal in the MicroRealEstate file upload functionality lets an authenticated low-privilege user supply crafted filenames containing directory-traversal sequences to write outside the intended upload directory and potentially overwrite system files. All releases through 1.0.0-alpha3 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege account
Delivery
Access file upload endpoint
Exploit
Submit crafted filename with '../' sequences
Execution
Server writes outside upload directory
Persist
Overwrite system or config file
Impact
Corruption or denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account on the target MicroRealEstate instance (CVSS PR:L) and access to the file upload functionality - the specific feature named in the advisory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The only quantitative signal provided is a CVSS 4.0 base score of 7.1 (AV:N/AC:L/AT:N/PR:L/UI:N with VC:N/VI:L/VA:H), indicating a network-reachable, low-complexity attack that requires some authentication (PR:L) and no user interaction, whose primary consequence is high availability impact and low integrity impact with no confidentiality loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privilege but authenticated user of a MicroRealEstate instance (for example a tenant or limited staff account) uploads a document but sets the filename or target path to a traversal string such as '../../../../etc/crontab' or an application config file. The server resolves the path relative to the upload directory without sanitization and overwrites the targeted file, corrupting the application or host and causing denial of service or altered behavior. …
Remediation No vendor-released patch identified at time of analysis - the input lists the affected range 'through 1.0.0-alpha3' but no fixed version, and the references point to the project repository and the reporter advisory rather than a tagged patched release; monitor https://github.com/microrealestate/microrealestate and https://www.themissinglink.com.au/security-advisories/cve-2026-57871 for a fix and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57871 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy