CVE-2026-21857

Опубликовано: 07 янв. 2026

Источник: nvd

CVSS3: 6.5

EPSS Низкий

Описание

REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the EXPDIR POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing ../ sequences (or even absolute paths inside the document root) to include any readable file in the generated .tar.gz archive. Version 5.20.2 fixes this issue.

Ссылки

https://github.com/redaxo/redaxo/releases/tag/5.20.2
Release Notes
https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv
Exploit
Vendor Advisory
https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:redaxo:redaxo:*:*:*:*:*:*:*:*

Версия до 5.20.2 (исключая)

EPSS

Процентиль: 19%

0.0006

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-824x-88xg-cwrv

github

около 1 месяца назад

Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read