What the vulnerability does
01Description
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
CVSS base score
8.6/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Key dates
02Disclosure timeline
May 8, 2026
CVE published
May 13, 2026
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2026-27202 GetSimple CMS: Uploaded Files (feature) Arbitrary File Read Vulnerability
CVE-2024-24578 RaspberryMatic Unauthenticated Remote Code Execution vulnerability through HMServer File Upload
CVE-2024-49062 Microsoft SharePoint Information Disclosure Vulnerability
CVE-2023-6307 jeecgboot JimuReport image path traversal
CVE-2026-1022 Gotac|Statistics Database System - Arbitrary File Read
