Skip to main content

PHP CVE-2026-6487

| EUVD-2026-23417 LOW
Path Traversal (CWE-22)
2026-04-17 VulDB GHSA-mrmx-7hg5-pj7x
PHP Path Traversal
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
CVSS changed
Apr 17, 2026 - 13:22 NVD
4.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 17, 2026 - 12:56 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 12:45 euvd
EUVD-2026-23417
Analysis Generated
Apr 17, 2026 - 12:45 vuln.today
CVE Published
Apr 17, 2026 - 12:30 nvd
LOW 2.1

DescriptionCVE.org

A flaw has been found in Qihui jtbc5 CMS 5.0.3.6. Affected is an unknown function of the file /dev/code/common/diplomat/manage.php of the component Code Endpoint. This manipulation of the argument path causes path traversal. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Path traversal in Qihui jtbc5 CMS 5.0.3.6 allows authenticated remote attackers to read arbitrary files via a manipulated path parameter in /dev/code/common/diplomat/manage.php. The vulnerability has a published exploit and affects the Code Endpoint component; the vendor has not responded to early disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain CMS credentials (brute force, credential reuse, or insider)
Delivery
Authenticate to jtbc5 CMS instance
Exploit
Craft HTTP request with path traversal payload (../) in manage.php path parameter
Install
Application fails to validate and sanitizes path input
C2
Send request to /dev/code/common/diplomat/manage.php
Execute
Traverse directory boundaries and access arbitrary file
Impact
Exfiltrate sensitive data (configuration, source code, system files)
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid, authenticated user account on the jtbc5 CMS instance (PR:L in CVSS indicates low privilege level, so standard user accounts suffice - not admin-only). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.3 score reflects a network-accessible, low-complexity vulnerability requiring low-level authentication (PR:L), with confidentiality impact (C:L) but no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated CMS user (obtained via credential compromise, social engineering, or as a legitimate low-privilege user) visits or crafts an HTTP request to /dev/code/common/diplomat/manage.php with a malicious path parameter containing '../' sequences to traverse directories (e.g., path=../../../../etc/passwd). The application fails to validate the path input and processes the traversal, allowing the attacker to read sensitive files such as application configuration files containing database credentials, system files, or other users' data. …
Remediation No vendor-released patch has been identified at time of analysis, as the vendor did not respond to early disclosure contact. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-6487 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy