Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Path traversal vulnerability in Remote Spark (https://www.Remotespark.Com/) SparkView allows reading and writing arbitrary files in all directories as root. This leads to RCE. The affected component is the RDP drive redirection. Depending on implementation, the vulnerability can be exploited by an unauthenticated attacker.
This issue affects SparkView: before build 1127.
AnalysisAI
Path traversal in Remote Spark SparkView before build 1127 enables remote attackers to read and write arbitrary files as root through the RDP drive redirection component, leading to full remote code execution. CVSS 4.0 scores this 10.0 with no public exploit identified at time of analysis, though SSVC marks it automatable with total technical impact. Depending on the deployment, exploitation can be performed without authentication, making vulnerable internet-facing instances a high-priority patching target.
Technical ContextAI
SparkView is an HTML5-based remote desktop gateway from Remote Spark (remotespark.com) that proxies RDP, VNC, SSH, and Telnet sessions to browsers without client-side plugins. The flaw lives in its RDP drive redirection feature, which bridges the remote session's virtual channel to filesystem paths on the gateway host. CWE-23 (Relative Path Traversal) indicates the affected code does not sanitize '..' sequences or absolute paths supplied through the drive-redirection channel, allowing the gateway process - which runs as root - to access files outside the intended redirection sandbox. Because read and write are both possible as root, attackers can overwrite system binaries, cron jobs, SSH keys, or web-served files to pivot from file I/O to arbitrary code execution. The affected CPE is cpe:2.3:a:remote_spark_(https://www.remotespark.com/):sparkview:*:*:*:*:*:*:*:*, covering all SparkView builds prior to 1127.
RemediationAI
Upgrade SparkView to build 1127 or later, which is the vendor-released patch identified in the EUVD record and referenced from the Remote Spark product page at https://www.remotespark.com/view/new.html. Until the upgrade can be applied, disable the RDP drive redirection feature in the SparkView configuration to remove the vulnerable code path entirely - this breaks file-transfer convenience between client and remote session but preserves all other remote-access functionality. Additionally, place the SparkView gateway behind an authenticated reverse proxy or VPN so that the 'depending on implementation' unauthenticated path is closed off, and run the SparkView process under a non-root account where supported to limit blast radius if the traversal is reached. Monitor the gateway host for unexpected writes to /etc, /root, cron directories, and web roots as a detection backstop.
More in Www Remotespark Com
View allSame weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33281
GHSA-fhv3-q37g-rjx5