CVE-2023-7335 HIGH

CVE-2023-7335: EduSoho < 22.4.7 Arbitrary File Read via classroom-course-statistics

Vendor Hangzhou Kuozhi Network Technology Co., Ltd.
Product EduSoho
Weakness CWE-22 · Path traversal
Published January 22, 2026
Last update January 22, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the server filesystem, including application configuration files such as config/parameters.yml that may contain secrets and database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-19 (UTC).

Key dates

02Disclosure timeline

January 22, 2026 CVE published
January 22, 2026 Record updated