CVE-2026-20174

Medienbericht

EPSS 0.06%
Veröffentlicht 01.04.2026 16:29:22
Zuletzt bearbeitet 03.04.2026 16:11:11
Quelle psirt@cisco.com
CVE-Watchlists
Login
Unerledigt
Login

Cisco Nexus Dashboard Insights Arbitrary File Write Vulnerability

A vulnerability in the Metadata update feature of Cisco Nexus Dashboard Insights could allow an authenticated, remote attacker to write arbitrary files to an affected system.

This vulnerability is due to insufficient validation of the metadata update file. An attacker could exploit this vulnerability by crafting a metadata update file and manually uploading it to an affected device. A successful exploit could allow the attacker to write arbitrary files to the underlying operating system as the root user. To exploit this vulnerability, the attacker must have valid administrative credentials.
Note: Manual uploading of metadata files is typical for Air-Gap environments but not for Cisco Intersight Cloud connected devices. However, the manual upload option exists for both deployments.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

CNA 2 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerCisco

≫

Produkt Cisco Nexus Dashboard

Default Statusunknown

Version 3.1(1k)

Status affected

Version 3.1(1l)

Status affected

Version 3.2(1e)

Status affected

Version 3.2(1i)

Status affected

Version 3.3(1a)

Status affected

Version 3.3(1b)

Status affected

Version 3.3(2b)

Status affected

Version 4.0(1i)

Status affected

Version 3.3(2g)

Status affected

Version 3.2(2f)

Status affected

Version 3.2(2g)

Status affected

Version 3.2(2m)

Status affected

Version 3.1(1n)

Status affected

Version 4.1(1g)

Status affected

HerstellerCisco

≫

Produkt Cisco Nexus Dashboard Insights

Default Statusunknown

Version 2.2.2.125

Status affected

Version 2.2.2.126

Status affected

Version 5.0.1.150

Status affected

Version 5.0.1.154

Status affected

Version 5.1.0.131

Status affected

Version 5.1.0.135

Status affected

Version 6.0.1

Status affected

Version 6.0.2

Status affected

Version 6.1.1

Status affected

Version 6.1.2

Status affected

Version 6.1.3

Status affected

Version 6.2.1

Status affected

Version 6.2.2

Status affected

Version 6.3.1

Status affected

Version 6.4.1

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.172

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
psirt@cisco.com	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://www.heise.de/news/Cisco-stopft-teils-kritische-Luecken-in-mehreren-Produkten-11244121.html

Media Report

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndi-afw-rJuRC5dZ

https://nvd.nist.gov/vuln/detail/CVE-2026-20174

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-20174

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-20174

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-20174