Skip to main content

AIL Framework EUVDEUVD-2026-41775

| CVE-2026-59510 HIGH
Path Traversal (CWE-22)
2026-07-05 CIRCL GHSA-jf65-fx73-9f2j
7.1
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
vuln.today AI
5.3 MEDIUM

Authenticated PDF operation gives PR:L; vendor notes additional errors must be cleared first, so AC:H; arbitrary file read yields C:H with no integrity or availability impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CIRCL).

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 18:21 vuln.today

DescriptionCVE.org

AIL Framework contains a path traversal vulnerability in its PDF object handling. Prior to commit 14c618fce4d1df02358717c48ea903706abecdf2, the PDF.get_filepath() function constructed a file path by joining the configured PDF storage directory with a path derived from a PDF object identifier, without verifying that the resolved path remained within the intended PDF_FOLDER directory.

An authenticated attacker able to invoke PDF object operations with a crafted identifier could use relative traversal sequences or absolute path components to cause AIL Framework to open files located outside the PDF storage directory. This could allow disclosure of files readable by the AIL process, including application configuration, credentials, or other sensitive local data. This vulnerability is potential due to additional errors before being able to be executed.

The fix canonicalises the resulting path with os.path.realpath() and rejects paths whose common directory is outside the configured PDF directory.

AnalysisAI

Path traversal in AIL Framework's PDF object handling lets an authenticated user read files outside the intended PDF storage directory. The PDF.get_filepath() function joined the configured PDF_FOLDER with an attacker-influenced object identifier without validating the resolved location, so crafted relative traversal sequences or absolute path components could point AIL at arbitrary files readable by the service account, exposing configuration, credentials, or other local secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege AIL account
Delivery
Invoke PDF object operation with crafted identifier
Exploit
Inject '../' or absolute path components
Execution
Bypass PDF_FOLDER containment in get_filepath()
Persist
Read files outside PDF storage directory
Impact
Disclose AIL config or credentials

Vulnerability AssessmentAI

Exploitation Requires an authenticated AIL Framework account (CVSS PR:L) with the ability to invoke PDF object operations and supply or influence the PDF object identifier consumed by PDF.get_filepath(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L, base 7.1) characterises this as network-reachable, low-complexity, low-privilege with high confidentiality impact and no integrity or availability impact - consistent with an authenticated file-read primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user of an AIL instance invokes a PDF object operation supplying a crafted object identifier containing '../' sequences or an absolute path aimed at the AIL config or a system secrets file. AIL's get_filepath() resolves the path outside PDF_FOLDER and opens the target, disclosing credentials or configuration to the attacker. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - update AIL Framework to a build that includes commit 14c618fce4d1df02358717c48ea903706abecdf2, which adds os.path.realpath() canonicalisation and rejects paths whose common directory lies outside the configured PDF_FOLDER (patch: https://github.com/ail-project/ail-framework/commit/14c618fce4d1df02358717c48ea903706abecdf2.patch). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running AIL Framework and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41775 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy