Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable admin save action (AV:N/AC:L) requires administrator privileges (PR:H) with no user interaction; arbitrary file write to RCE yields full C/I/A impact with no scope change.
Primary rating from Vendor (9119a7d8-5eab-497f-8521-727c672e3725).
CVSS VectorVendor: 9119a7d8-5eab-497f-8521-727c672e3725
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
LibreBooking's email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0.
AnalysisAI
Authenticated remote code execution in LibreBooking (open-source scheduling/reservation platform) versions prior to 5.1.0 allows an administrator to write arbitrary files outside the intended template directory by abusing the email template editor's save action, which trusts the submitted template name as part of the destination file path. Because the resulting file can be dropped into a web-executable location, the write primitive escalates to server-side code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated LibreBooking administrator account (CVSS PR:H) with access to the email template editor's save action - this specific feature is the vulnerable entry point. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 base score is 8.6 (High) with vector AV:N/AC:L/AT:N/PR:H/UI:N and high confidentiality, integrity and availability impact but no scope/subsequent-system change (SC/SI/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained LibreBooking administrator access (via phishing, credential reuse, or a chained account-takeover) opens the email template editor, saves a template whose 'name' contains a relative path traversal sequence and PHP payload as the body, causing the file to be written into a web-executable directory. The attacker then requests that dropped script over HTTP to execute arbitrary code on the server. … |
| Remediation | Vendor-released patch: upgrade to LibreBooking v5.1.0 or later (https://github.com/LibreBooking/librebooking/releases/tag/v5.1.0), which addresses the traversal in the template-save path (PR #1456 / commit cb9b7ad). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all LibreBooking deployments and affected versions; audit and restrict administrative user access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-23 – Relative Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42662
GHSA-7793-hmg3-gh57