Skip to main content

Deepractice PromptX CVE-2026-7217

| EUVDEUVD-2026-25973 MEDIUM
Absolute Path Traversal (CWE-36)
2026-04-28 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
PoC Detected
Apr 28, 2026 - 20:31 vuln.today
Public exploit code
CVSS changed
Apr 28, 2026 - 03:22 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
Apr 28, 2026 - 03:16 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 03:00 euvd
EUVD-2026-25973
Analysis Generated
Apr 28, 2026 - 03:00 vuln.today
CVE Published
Apr 28, 2026 - 02:30 nvd
MEDIUM 5.5

DescriptionCVE.org

A security vulnerability has been detected in Deepractice PromptX up to 2.4.0. The affected element is the function read_docx/read_xlsx/read_pptx/list_xlsx_sheets/read_pdf of the file packages/mcp-office/src/index.ts of the component Document File Handler. Such manipulation of the argument path leads to absolute path traversal. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Absolute path traversal in Deepractice PromptX up to version 2.4.0 allows remote unauthenticated attackers to read arbitrary files from the server by manipulating the path argument in document file handling functions (read_docx, read_xlsx, read_pptx, list_xlsx_sheets, read_pdf). Publicly available exploit code exists and the vendor has not responded to early disclosure, though CVSS 5.3 (AV:N/AC:L/PR:N/UI:N) indicates moderate information disclosure risk with no integrity or availability impact.

Technical ContextAI

The vulnerability resides in the Document File Handler component (packages/mcp-office/src/index.ts) of PromptX's Model Context Protocol (MCP) office file processing module. The affected functions handle reading Microsoft Office documents (Word, Excel, PowerPoint) and PDF files. The root cause is CWE-36 (Absolute Path Traversal), where insufficient input validation on the path parameter allows attackers to bypass directory restrictions and access files outside the intended document storage directory. The functions do not properly sanitize or canonicalize file paths, permitting traversal sequences such as absolute paths or complex relative path constructs to reach sensitive files on the server filesystem.

RemediationAI

Upgrade Deepractice PromptX to a version later than 2.4.0 once a patch is released; currently no patched version is available and the vendor has not responded to early disclosure. As a temporary compensating control, restrict network access to the PromptX service to trusted internal networks only, or place it behind an authentication gateway (e.g., OAuth, reverse proxy authentication) to require authentication despite the PR:N vector suggesting unauthenticated access-this raises the attack barrier pending a patch. Additionally, review and restrict the file system permissions of the PromptX process user to minimize the scope of readable files in case of exploitation (principle of least privilege). Input validation can be hardened on the application side by implementing strict path canonicalization and whitelisting allowed document directories, but this requires code changes and is not a substitute for upgrading. Monitor the GitHub repository (https://github.com/Deepractice/PromptX/) and VulDB for patch announcements.

Share

CVE-2026-7217 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy