Description
Problem in the Small HTTP Server v3.06.36 service. An authenticated path traversal vulnerability in '/' allows remote users to bypass the intended restrictions of SecurityManager and display any file if they have the appropriate permissions outside the document root configured on the server.
Published: 2026-03-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Disclosure
Action: Apply Patch
AI Analysis

Impact

The Small HTTP Server version 3.06.36 contains an authenticated path‑traversal flaw in the root path that permits an attacker to bypass the server’s SecurityManager and read arbitrary files located outside the configured document root. This defect allows remote users who have the necessary file system permissions to retrieve sensitive content, potentially exposing confidential information or system configuration files. The weakness is classified as a Path Traversal (CWE‑22) issue.

Affected Systems

The vulnerable product is the Small HTTP Server from Smallsrv, specifically version 3.06.36. The vendor has released a fixed version, 3.06.38, which addresses the path‑traversal vulnerability. The CPE entries list both the exact vulnerable version and the broader small_http_server package, indicating that only the 3.06.36 release is affected.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating a high potential impact if exploited. However, the EPSS score is less than 1 %, suggesting that exploitation has not yet been widely observed and is unlikely to be actively targeted. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a valid authenticated user who has sufficient file‑system permissions; the attacker typically sends a crafted request to the root path containing traversal sequences, causing the server to return the contents of the targeted file. The remote nature of the attack, coupled with the need for authentication, limits the attack surface but still presents a serious risk of data exposure.

Generated by OpenCVE AI on March 26, 2026 at 22:29 UTC.

Remediation

Vendor Solution

The vulnerability has been fixed in version V3.06.38.

OpenCVE Recommended Actions

  • Update Small HTTP Server to version 3.06.38 or later.
  • If an update is not immediately feasible, limit the filesystem permissions of authenticated users to prevent reading files outside the document root.
  • Continuously monitor server logs for unusual file access requests to detect possible exploitation attempts.

Generated by OpenCVE AI on March 26, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Smallsrv small Http Server
CPEs cpe:2.3:a:smallsrv:small_http_server:*:*:*:*:*:*:*:*
Vendors & Products Smallsrv small Http Server
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-428

Thu, 26 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher priority directory, causing the service to execute the malicious file instead of the legitimate one. Exploiting this flaw could allow arbitrary code execution, unauthorized access to the system, or service disruption. To mitigate the risk, the service path must be properly quoted, and systems must be kept up to date with security patches, while restricting physical and network access. Problem in the Small HTTP Server v3.06.36 service. An authenticated path traversal vulnerability in '/' allows remote users to bypass the intended restrictions of SecurityManager and display any file if they have the appropriate permissions outside the document root configured on the server.
Weaknesses CWE-22
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher priority directory, causing the service to execute the malicious file instead of the legitimate one. Exploiting this flaw could allow arbitrary code execution, unauthorized access to the system, or service disruption. To mitigate the risk, the service path must be properly quoted, and systems must be kept up to date with security patches, while restricting physical and network access.
Title Multiple vulnerabilities in Small HTTP server by Smallsrv
First Time appeared Smallsrv
Smallsrv small Http
Weaknesses CWE-428
CPEs cpe:2.3:a:smallsrv:small_http:3.06.36:*:*:*:*:*:*:*
Vendors & Products Smallsrv
Smallsrv small Http
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Smallsrv Small Http Small Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-26T13:40:20.561Z

Reserved: 2025-04-16T09:57:06.080Z

Link: CVE-2025-41368

cve-icon Vulnrichment

Updated: 2026-03-26T13:40:16.762Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T12:16:08.583

Modified: 2026-03-26T21:07:45.300

Link: CVE-2025-41368

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:45Z

Weaknesses