CVE-2026-53698

Published: Jun 10, 2026Modified: Jun 10, 2026Deferred

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: MITRE (Secondary)

Description

Silverpeas through 6.4.6 mishandles the "Personal space" feature that is selected when no componentId is set.

Related CWEs

Absolute Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

References (4)

https://github.com/Silverpeas/Silverpeas-Core/blob/983c5d07928b8a5ddcb39cc17d7fb9a0d87019b9/core-war/src/main/java/org/silverpeas/web/servlets/FileServer.java#L120-L122

Source: cve@mitre.org

https://github.com/Silverpeas/Silverpeas-Core/blob/983c5d07928b8a5ddcb39cc17d7fb9a0d87019b9/core-war/src/main/java/org/silverpeas/web/servlets/FileServer.java#L150-L153

Source: cve@mitre.org

https://github.com/Silverpeas/Silverpeas-Core/commit/caa6e6d1ac967ebd29b39e11c2ef5e7fd0047eec

Source: cve@mitre.org

https://tracker.silverpeas.org/issues/15229

Source: cve@mitre.org

Timeline

No history available yet.