Description
Census CSWeb 8.0.1 allows arbitrary file path input. A remote, authenticated attacker could access unintended file directories. Fixed in 8.1.0 alpha.
Published: 2026-03-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Path Traversal leading to unauthorized file access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a path traversal flaw that allows a remote authenticated user to specify arbitrary file paths, providing access to files outside the intended directory. This can result in the disclosure of sensitive configuration, source code, or other confidential information. The weakness is a classic instance of insecure relative path processing, categorized as CWE‑22.

Affected Systems

Census CSWeb version 8.0.1 is the only release identified as vulnerable. The vendor has released a fix in version 8.1.0 alpha. No other products or versions are listed as affected.

Risk and Exploitability

The base CVSS score of 8.7 signals a high severity flaw, while the EPSS score of less than 1% and absence from the KEV catalog suggest that exploitation is currently uncommon. An attacker must be authenticated to trigger the vulnerability, after which they can read unintended files. Though no publicly available exploitation code is documented, the high impact warrants swift remediation.

Generated by OpenCVE AI on March 26, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Census CSWeb to version 8.1.0 alpha or later
  • Confirm that authentication mechanisms are properly configured and that only authorized users can access the application
  • Restrict filesystem permissions to prevent the application process from accessing sensitive directories
  • Validate and sanitize all user‑supplied path inputs to eliminate traversal patterns
  • Audit access logs for unexpected file access patterns and investigate any anomalies

Generated by OpenCVE AI on March 26, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Csprousers
Csprousers csweb
CPEs cpe:2.3:a:csprousers:csweb:8.0.1:*:*:*:*:*:*:*
Vendors & Products Csprousers
Csprousers csweb

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Census
Census csweb
Vendors & Products Census
Census csweb

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Census CSWeb 8.0.1 allows arbitrary file path input. A remote, authenticated attacker could access unintended file directories. Fixed in 8.1.0 alpha.
Title Census CSWeb path traversal
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Census Csweb
Csprousers Csweb
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-03-25T14:34:38.740Z

Reserved: 2025-09-26T05:34:11.056Z

Link: CVE-2025-60946

cve-icon Vulnrichment

Updated: 2026-03-25T14:32:26.642Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T22:16:22.583

Modified: 2026-03-26T13:27:01.667

Link: CVE-2025-60946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:23Z

Weaknesses