Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable upload feature (AV:N/AC:L) requires a low-privilege account (PR:L) and no interaction; arbitrary file overwrite yields low integrity and high availability impact with no confidentiality loss.
Primary rating from Vendor (themissinglink).
CVSS VectorVendor: themissinglink
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Relative path traversal vulnerability in MicroRealEstate file upload functionality allows attackers to potentially overwrite system files.
This issue affects MicroRealEstate: through 1.0.0-alpha3.
AnalysisAI
Relative path traversal in the MicroRealEstate file upload functionality lets an authenticated low-privilege user supply crafted filenames containing directory-traversal sequences to write outside the intended upload directory and potentially overwrite system files. All releases through 1.0.0-alpha3 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account on the target MicroRealEstate instance (CVSS PR:L) and access to the file upload functionality - the specific feature named in the advisory. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The only quantitative signal provided is a CVSS 4.0 base score of 7.1 (AV:N/AC:L/AT:N/PR:L/UI:N with VC:N/VI:L/VA:H), indicating a network-reachable, low-complexity attack that requires some authentication (PR:L) and no user interaction, whose primary consequence is high availability impact and low integrity impact with no confidentiality loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privilege but authenticated user of a MicroRealEstate instance (for example a tenant or limited staff account) uploads a document but sets the filename or target path to a traversal string such as '../../../../etc/crontab' or an application config file. The server resolves the path relative to the upload directory without sanitization and overwrites the targeted file, corrupting the application or host and causing denial of service or altered behavior. … |
| Remediation | No vendor-released patch identified at time of analysis - the input lists the affected range 'through 1.0.0-alpha3' but no fixed version, and the references point to the project repository and the reporter advisory rather than a tagged patched release; monitor https://github.com/microrealestate/microrealestate and https://www.themissinglink.com.au/security-advisories/cve-2026-57871 for a fix and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42008
GHSA-56qr-p95w-94vh