What the vulnerability does
01Description
Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter.
Explanation of Vulnerability in Simple Terms
02Summary
A local vulnerability in Supsystic Backup allows an attacker with local system access to read sensitive information from the backup component. The vulnerability requires no authentication or user interaction. The affected version range appears to contain a single version (2.3.9), though the current version is listed as 3.1.21.3, suggesting this may be a legacy or incorrectly specified version constraint.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the backup system via local file access.
Potential impact on your site
04Site Impact
Backup data containing site configuration, database contents, or other sensitive information could be exposed to users with server access.
Conditions required to exploit
05Prerequisites
Local access to the server; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 16, 2026
CVE published
May 18, 2026
Record updated