EUVD-2026-23370
Path Traversal (CWE-22)
GHSA-4p7p-gf39-gmhp
5.1
CVSS 4.0 · NVD
Share
Severity by source
NVD
PRIMARY
5.1
MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X
Lifecycle Timeline
6
Severity Changed
Apr 17, 2026 - 06:22 NVD
LOW
MEDIUM
CVSS changed
Apr 17, 2026 - 06:22 NVD
2.7 (LOW)
5.1 (MEDIUM)
Analysis Generated
Apr 17, 2026 - 05:36 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 05:30 euvd
EUVD-2026-23370
Analysis Generated
Apr 17, 2026 - 05:30 vuln.today
CVE Published
Apr 17, 2026 - 04:33 nvd
MEDIUM 5.1
DescriptionCVE.org
A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible.
AnalysisAI
CubeCart administrative users can exploit a path traversal vulnerability prior to version 6.6.0 to read files from higher-level directories on the server, bypassing intended directory access restrictions. The vulnerability requires administrative privileges and affects CubeCart installations below 6.6.0. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Access
Obtain admin credentials
Delivery
Authenticate to CubeCart backend
Exploit
Access file operation feature
Execution
Inject path traversal sequences
Persist
Bypass directory restrictions
Impact
Read sensitive files outside root
Access
Obtain admin credentials
Delivery
Authenticate to CubeCart backend
Exploit
Access file operation feature
Execution
Inject path traversal sequences
Persist
Bypass directory restrictions
Impact
Read sensitive files outside root
Vulnerability AssessmentAI
| Exploitation | Exploitation requires valid CubeCart administrative credentials and network access to the CubeCart administration interface. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS v3.0 score of 2.7 (Low severity) is justified by the PR:H (high privilege) requirement, which restricts exploitation to users already granted administrative access - a significant gating factor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An administrator with legitimate access to the CubeCart backend logs in and crafts a malicious request containing path traversal sequences (e.g., '../../../etc/passwd') in a file operation parameter. The vulnerable code fails to sanitize this input, allowing the admin to read the system password file, configuration files, or private keys stored outside the CubeCart directory. … |
| Remediation | Upgrade CubeCart to version 6.6.0 or later immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).