Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-6620
6.3 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): Low (L)
- Exploit Code Maturity (E): Proof-of-Concept (P)
- Remediation Level (RL): Not Defined (X)
- Report Confidence (RC): Reasonable (R)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): Low (L)
Activity log
- Created suggestion
SonicCloudOrg sonic-server File Upload Endpoint FileTool.java upload path traversal
A vulnerability was found in SonicCloudOrg sonic-server up to 2.0.0. The affected element is the function Upload of the file FileTool.java of the component File Upload Endpoint. The manipulation of the argument Type results in path traversal. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
-
VDB-358255 | SonicCloudOrg sonic-server File Upload Endpoint FileTool.java upload path traversal vdb-entrytechnical-description
-
-
Submit #792336 | SonicCloudOrg sonic-server 2.0.0 Injection third-party-advisory
-
Affected products
sonic-server
- ==2.0
Package maintainers
-
@anthonyroussel Anthony Roussel <anthony@roussel.dev>