Skip to main content

Labone

1 CVEs product

Monthly

CVE-2026-6903 HIGH PATCH This Week

Path traversal in Zurich Instruments LabOne Web Server allows unauthenticated remote attackers to read arbitrary files accessible to the LabOne process. The vulnerability combines insufficient input validation (CWE-22) with missing CORS restrictions, enabling direct exploitation or browser-based attacks via malicious websites. EPSS data not available, but the network-accessible unauthenticated attack vector (AV:N/PR:N/UI:N) combined with vendor-confirmed patch indicates active vendor response to a readily exploitable information disclosure flaw. Exploitation limited to installations running the Web Server component; API-only deployments are unaffected.

Path Traversal Labone
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Path traversal in Zurich Instruments LabOne Web Server allows unauthenticated remote attackers to read arbitrary files accessible to the LabOne process. The vulnerability combines insufficient input validation (CWE-22) with missing CORS restrictions, enabling direct exploitation or browser-based attacks via malicious websites. EPSS data not available, but the network-accessible unauthenticated attack vector (AV:N/PR:N/UI:N) combined with vendor-confirmed patch indicates active vendor response to a readily exploitable information disclosure flaw. Exploitation limited to installations running the Web Server component; API-only deployments are unaffected.

Path Traversal Labone
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy