Skip to main content

LibreBooking CVE-2026-61343

| EUVDEUVD-2026-42662 HIGH
Relative Path Traversal (CWE-23)
2026-07-09 9119a7d8-5eab-497f-8521-727c672e3725 GHSA-7793-hmg3-gh57
8.6
CVSS 4.0 · Vendor: 9119a7d8-5eab-497f-8521-727c672e3725
Share

Severity by source

Vendor (9119a7d8-5eab-497f-8521-727c672e3725) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.2 HIGH

Network-reachable admin save action (AV:N/AC:L) requires administrator privileges (PR:H) with no user interaction; arbitrary file write to RCE yields full C/I/A impact with no scope change.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (9119a7d8-5eab-497f-8521-727c672e3725).

CVSS VectorVendor: 9119a7d8-5eab-497f-8521-727c672e3725

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 19:01 EUVD
Analysis Generated
Jul 09, 2026 - 18:44 vuln.today

DescriptionCVE.org

LibreBooking's email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0.

AnalysisAI

Authenticated remote code execution in LibreBooking (open-source scheduling/reservation platform) versions prior to 5.1.0 allows an administrator to write arbitrary files outside the intended template directory by abusing the email template editor's save action, which trusts the submitted template name as part of the destination file path. Because the resulting file can be dropped into a web-executable location, the write primitive escalates to server-side code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain admin credentials
Delivery
Access email template editor
Exploit
Save template with traversal name + PHP payload
Execution
Write file into web root
Persist
Request dropped script over HTTP
Impact
Execute arbitrary code on server

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated LibreBooking administrator account (CVSS PR:H) with access to the email template editor's save action - this specific feature is the vulnerable entry point. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 base score is 8.6 (High) with vector AV:N/AC:L/AT:N/PR:H/UI:N and high confidentiality, integrity and availability impact but no scope/subsequent-system change (SC/SI/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained LibreBooking administrator access (via phishing, credential reuse, or a chained account-takeover) opens the email template editor, saves a template whose 'name' contains a relative path traversal sequence and PHP payload as the body, causing the file to be written into a web-executable directory. The attacker then requests that dropped script over HTTP to execute arbitrary code on the server. …
Remediation Vendor-released patch: upgrade to LibreBooking v5.1.0 or later (https://github.com/LibreBooking/librebooking/releases/tag/v5.1.0), which addresses the traversal in the template-save path (PR #1456 / commit cb9b7ad). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all LibreBooking deployments and affected versions; audit and restrict administrative user access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61343 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy