Description
Global file reads caused by improper URL checks in webserver in Softing Industrial Automation GmbH smartLinks on docker (filesystem modules) allows file access.



This issue affects

smartLink SW-HT: through 1.42

smartLink SW-PN: through 1.03.
Published: 2026-03-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Read
Action: Apply Patch
AI Analysis

Impact

This vulnerability in Softing Industrial Automation GmbH smartLinks allows an attacker to read arbitrary files on the host system. The webserver performs improper URL validation, enabling global file reads through the filesystem modules when accessed from a Docker environment. The weakness is identified as incorrect input validation (CWE‑20) and results in unauthorized disclosure of data that may include sensitive configuration or credential files.

Affected Systems

Affected vendor is Softing Industrial Automation GmbH. Products impacted are smartLink SW‑HT and smartLink SW‑PN. The vulnerability exists in all versions up through 1.42 for SW‑HT and up through 1.03 for SW‑PN, as stated by the vendor. Updated versions that contain the fix are smartLink SW‑HT 1.43 and smartLink SW‑PN 1.04.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires crafting an HTTP request that bypasses URL checks; authentication or privileged access is not mentioned, so the act of trying likely does not require additional privileges. Because the webserver is network exposed, the vulnerability could be exploited remotely without local access, making it reasonably attractive to attackers.

Generated by OpenCVE AI on March 17, 2026 at 11:22 UTC.

Remediation

Vendor Solution

This issue is fixed in smartLink SW-HT: 1.43 smartLink SW-PN: 1.04

OpenCVE Recommended Actions

  • Apply patch to smartLink SW-HT to version 1.43 or newer.
  • Apply patch to smartLink SW-PN to version 1.04 or newer.
  • Verify that the webserver no longer allows arbitrary file reads by testing access to protected paths.
  • If an update cannot be applied immediately, restrict external network traffic to the webserver or disable the Docker filesystem modules.

Generated by OpenCVE AI on March 17, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
References

Fri, 27 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
References

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description Global file reads caused by improper URL checks in webserver in Softing Industrial Automation GmbH smartLinks on docker (filesystem modules) allows file access. This issue affects smartLink SW-HT: through 1.42 smartLink SW-PN: through 1.03.
Title Global file reads caused by improper URL checks in webserver
First Time appeared Softing
Softing smartlink Sw-ht
Softing smartlink Sw-pn
Weaknesses CWE-20
CPEs cpe:2.3:a:softing:smartlink_sw-ht:*:*:*:*:*:*:*:*
cpe:2.3:a:softing:smartlink_sw-ht:1.43:*:*:*:*:*:*:*
cpe:2.3:a:softing:smartlink_sw-pn:*:*:*:*:*:*:*:*
cpe:2.3:a:softing:smartlink_sw-pn:1.04:*:*:*:*:*:*:*
Vendors & Products Softing
Softing smartlink Sw-ht
Softing smartlink Sw-pn
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/R:A/RE:L/U:Green'}

Subscriptions

Softing Smartlink Sw-ht Smartlink Sw-pn
cve-icon MITRE

Status: PUBLISHED

Assigner: Softing

Published:

Updated: 2026-03-27T08:13:41.200Z

Reserved: 2025-09-15T05:57:59.903Z

Link: CVE-2025-10461

cve-icon Vulnrichment

Updated: 2026-03-16T14:27:48.578Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:17:53.620

Modified: 2026-03-27T09:16:17.050

Link: CVE-2025-10461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:44:30Z

Weaknesses