The affected component in DreamFactory Core is a PHP REST controller that fails to sanitize the URI path. An attacker can supply a crafted request that contains path traversal sequences, such as "../". This manipulation allows the application to read any file on the server that the web server process can access, potentially exposing sensitive configuration, credentials, or source code. The weakness is classified as CWE-22, a directory traversal flaw that directly compromises confidentiality, and may lead to further integrity or availability problems if attackers gain read access to critical files.

The flaw is present only in DreamFactory Core version 1.0.3. Users running this exact version, or any earlier releases that have not been patched by the community commit referenced in the advisory, are affected. The product is the open‑source backend framework DreamFactory Core provided by DreamFactory software.

The CVSS base score is 7.2, indicating a high severity for a medium complexity attack. The EPSS score of less than 1% suggests that exploitation attempts are unlikely at present, and the vulnerability is not recorded in the CISA KEV list. Nevertheless, the ease of crafting the malicious URI and the fact that the flaw resides in a publicly exposed REST endpoint means that the attack vector is remote over HTTP or HTTPS. An attacker only needs network access to the application and the ability to send a JSON‑encoded request, making the exploitation relatively straightforward if the system exposes the vulnerable endpoint to the internet.