Description
A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function createResponseEntity of the file warehouse\src\main\java\com\yeqifu\sys\common\AppFileUtils.java. The manipulation of the argument path results in path traversal. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases.
Published: 2026-01-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Read
Action: Patch
AI Analysis

Impact

The vulnerability resides in the AppFileUtils.createResponseEntity method of yeqifu warehouse. An attacker can manipulate the path argument to traverse directories and read files outside the intended workspace, resulting in remote file read capabilities that may expose sensitive configuration files or other confidential data. This is a classic path traversal flaw (CWE‑22).

Affected Systems

All installations of yeqifu warehouse built on or before the commit aaf29962ba407d22d991781de28796ee7b4670e4 are affected. Yeqifu warehouse is deployed as a rolling release, meaning that any version released before the fix may contain the flaw. There are no explicit version numbers for affected or patched releases in the public data.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% shows a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, yet public exploit code demonstrates that remote attackers could trigger the path traversal if they can send crafted requests to the application. If the web application is exposed to the Internet or an untrusted network, the risk remains of arbitrary file access that could lead to data leakage or privilege escalation.

Generated by OpenCVE AI on April 18, 2026 at 08:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade yeqifu warehouse to the latest release that contains the patch for the path traversal vulnerability.
  • Restrict the application’s file‑system access to only the directories that are required, using OS‑level permissions or container isolation so that even if the traversal succeeds it cannot reach sensitive files.
  • Deploy a web‑application firewall rule or input‑validation filter that removes or neutralises ‘..’ or other relative‑path components before they are passed to createResponseEntity.

Generated by OpenCVE AI on April 18, 2026 at 08:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Yeqifu warehouse
CPEs cpe:2.3:a:yeqifu:warehouse:*:*:*:*:*:*:*:*
Vendors & Products Yeqifu warehouse

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Yeqifu
Yeqifu warehouse Management System
Vendors & Products Yeqifu
Yeqifu warehouse Management System

Fri, 02 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function createResponseEntity of the file warehouse\src\main\java\com\yeqifu\sys\common\AppFileUtils.java. The manipulation of the argument path results in path traversal. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases.
Title yeqifu warehouse AppFileUtils.java createResponseEntity path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yeqifu Warehouse Warehouse Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:11:19.068Z

Reserved: 2026-01-02T12:32:20.837Z

Link: CVE-2026-0571

cve-icon Vulnrichment

Updated: 2026-01-06T20:35:37.660Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-02T20:16:17.697

Modified: 2026-02-05T21:12:37.997

Link: CVE-2026-0571

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:30:35Z

Weaknesses