Skip to main content

Canias ERP EUVDEUVD-2026-28951

| CVE-2026-8215 MEDIUM
Path Traversal (CWE-22)
2026-05-10 cna@vuldb.com GHSA-wgqr-wc5c-5vpp
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 10, 2026 - 01:29 vuln.today
CVE Published
May 10, 2026 - 01:16 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This vulnerability affects the function iasRequestFileEvent of the component RMI Interface. This manipulation of the argument m_strSourceFileName causes path traversal. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Remote path traversal in Industrial Application Software IAS Canias ERP 8.03 allows unauthenticated network attackers to read arbitrary files by manipulating the m_strSourceFileName argument in the iasRequestFileEvent function of the RMI Interface. The vulnerability has been publicly disclosed with proof-of-concept code available, and the vendor has not responded to early disclosure notification.

Technical ContextAI

Canias ERP 8.03 exposes an RMI (Remote Method Invocation) Interface component that processes file requests through the iasRequestFileEvent function. This function fails to properly validate or sanitize the m_strSourceFileName parameter, allowing attackers to inject path traversal sequences (such as ../ or absolute paths) to access files outside the intended directory structure. The root cause is improper input validation of file path arguments (CWE-22: Improper Limitation of a Pathname to a Restricted Directory), a classic vulnerability class affecting file-serving operations in enterprise applications.

RemediationAI

Immediate patching is the primary remediation: contact IAS vendor directly to obtain a security update for Canias ERP 8.03 that properly validates the m_strSourceFileName parameter. If a vendor patch is unavailable or delayed due to non-responsiveness, implement the following compensating controls: restrict network access to the RMI Interface by deploying firewall rules to limit connections only to trusted hosts or subnets; disable or isolate the RMI Interface service if not operationally required; implement file system access controls to limit the scope of files readable by the Canias ERP application process (principle of least privilege); and monitor RMI interface logs for suspicious file path requests containing traversal sequences (../, absolute paths, or encoded variants). These controls reduce exploitability but do not eliminate the underlying vulnerability and should be treated as temporary measures pending vendor remediation.

Share

EUVD-2026-28951 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy