Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-reachable PHP endpoint; AC:H because exploitation requires knowledge of specific untrusted parameter structure; only low confidentiality disclosure with zero integrity or availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
GNU Savannah Administration Savane through 3.17 uses untrusted data as part of authorization.
AnalysisAI
Information disclosure in GNU Savane's file-serving layer (frontend/php/file.php) allows network-accessible, unauthenticated remote attackers to bypass file authorization controls by supplying untrusted user-controlled data that the application incorrectly treats as authoritative in its access decision logic. Affected installations span Savane 3.14 through 3.17, confirmed by EUVD-2026-38135 and acknowledged via an FSF public statement. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerability is triggered through an HTTP request to the frontend/php/file.php endpoint in any Savane 3.14-3.17 deployment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The overall risk signal is low-to-moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker with HTTP access to a Savane 3.14-3.17 instance crafts a request to frontend/php/file.php with a manipulated authorization parameter that the server-side logic accepts as trusted, substituting their own value for the expected session-derived authorization context. The server evaluates the tainted parameter in the access check at lines 113 or 123, concludes access is permitted, and returns a file from a restricted project that the attacker would not otherwise be authorized to retrieve. … |
| Remediation | No vendor-released patch with an exact fix version has been identified from available data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via the form_id in the form_hea
An issue was discovered in GNU Savane v.3.13 and before, allows a remote attacker to execute arbitrary code and escalate
Insecure Direct Object Reference (IDOR) in GNU Savane v.3.12 and before allows a remote attacker to delete arbitrary fil
Cross Site Request Forgery vulnerability in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges
Same weakness CWE-696 – Incorrect Behavior Order
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38135