CVE-2026-6620 MEDIUM

CVE-2026-6620: SonicCloudOrg sonic-server File Upload Endpoint FileTool.java upload path traversal

Vendor Soniccloudorg

Product sonic-server

Weakness CWE-22 · Path traversal

Published April 20, 2026

Last update April 20, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A vulnerability was found in SonicCloudOrg sonic-server up to 2.0.0. The affected element is the function Upload of the file FileTool.java of the component File Upload Endpoint. The manipulation of the argument Type results in path traversal. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

Disclosure timeline

April 20, 2026 CVE published

April 20, 2026 Record updated