CVE-2026-6418

EPSS 0.38%
Veröffentlicht 05.05.2026 06:21:37
Zuletzt bearbeitet 12.05.2026 15:53:35
Quelle eb41dac7-0af8-4f84-9f6d-027277
CVE-Watchlists
Login
Unerledigt
Login

PaperCut NG/MF: Path Traversal in Shared Account Synchronization

An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization.



Due to a lack of proper path validation and sanitization, an authenticated user with administrative privileges can specify arbitrary file paths on the local file system. This allows for the enumeration of directory structures and the unauthorized reading of sensitive text-based configuration or system files.



When the synchronization process is triggered, the application attempts to parse the contents of the specified file, subsequently exposing the data within the application's account management interface. This vulnerability could lead to the disclosure of sensitive system information or configuration details, depending on the permissions of the service account under which the application is running.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

NVD 2 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Papercut ≫ Papercut Mf Version < 25.0.11

Papercut ≫ Papercut Ng Version < 25.0.11

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.38%	0.292

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
eb41dac7-0af8-4f84-9f6d-0272772514f4	4.6	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-36 Absolute Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

CWE-552 Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-6418

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-6418

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-6418

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-6418