What the vulnerability does
01Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in docxpresso Docxpresso docxpresso allows Absolute Path Traversal.This issue affects Docxpresso: from n/a through <= 2.6.
Explanation of Vulnerability in Simple Terms
02Summary
Docxpresso versions 2.6 and earlier contain a path traversal vulnerability that allows an attacker to read arbitrary files from the server. The vulnerability requires specific conditions to exploit but does not require authentication. An attacker can access sensitive files outside the intended directory structure, potentially exposing configuration files, source code, or other confidential data.
What an attacker can do
03Attacker Capabilities
Read arbitrary files from the server filesystem without authentication.
Potential impact on your site
04Site Impact
Sensitive files on the server may be exposed, including configuration files with database credentials or API keys.
Conditions required to exploit
05Prerequisites
Network access to the vulnerable Docxpresso instance; specific attack conditions must be met (high complexity).
Key dates
06Disclosure timeline
April 3, 2025
CVE published
May 12, 2026
Record updated