Skip to main content

Gigamon GVOS EUVDEUVD-2026-40170

| CVE-2026-36848 HIGH
Path Traversal (CWE-22)
2026-06-29 cve@mitre.org GHSA-9926-qcxh-376f
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Network-reachable H-VUE web interface with no auth or interaction (AV:N/AC:L/PR:N/UI:N); arbitrary file read yields high confidentiality loss but no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 29, 2026 - 20:30 vuln.today
CVSS changed
Jun 29, 2026 - 20:22 NVD
7.5 (HIGH)
CVE Published
Jun 29, 2026 - 18:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Gigamon GVOS v5.16.1 and below is vulnerable to Directory Traversal in the GVOS H-VUE subsystem.

AnalysisAI

Path traversal in the H-VUE web management subsystem of Gigamon GigaVUE-OS (GVOS) versions 5.16.1 and earlier allows remote attackers to read arbitrary files outside the intended web root, exposing sensitive system data. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable, low-complexity, unauthenticated exploitation with high confidentiality impact but no integrity or availability effect. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach H-VUE web interface over network
Delivery
Send crafted request with '../' path sequence
Exploit
Bypass directory restriction in H-VUE
Execution
Read arbitrary appliance file
Impact
Exfiltrate sensitive configuration or credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the H-VUE web management subsystem of an affected GVOS appliance (version 5.16.1 or below); per the CVSS vector (AV:N/AC:L/PR:N/UI:N) no authentication, no user interaction, and no special configuration is needed beyond the H-VUE interface being accessible to the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals point to a credible but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the H-VUE web interface over the network sends a crafted HTTP request with a manipulated path or filename parameter containing '../' traversal sequences. Because no authentication is required (PR:N) and complexity is low, the request resolves to a sensitive file outside the web root - such as a configuration file or credential store - and returns its contents to the attacker, who can then use the disclosed data to deepen the compromise.
Remediation No specific vendor-released fixed version is identified in the available data, so no exact upgrade target can be cited; consult Gigamon support and the GigaVUE-OS release notes for a patched build above 5.16.1 and apply it once confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all Gigamon GigaVUE-OS deployments and assess whether H-VUE management interfaces are reachable from untrusted networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40170 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy