Description
DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing unauthenticated local attackers to exploit Relative Path Traversal to download arbitrary system files.
Published: 2026-05-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DreamMaker, a product developed by Interinfo, contains a relative path traversal flaw that permits arbitrary file reading. An unauthenticated local attacker can exploit the vulnerability to download any system file accessible to the process. The primary impact is that confidential data, configuration files, or system binaries could be disclosed, potentially facilitating further compromise or providing a foothold for attackers who can gain access to the environment.

Affected Systems

The affected product is Interinfo DreamMaker. Specific affected versions are not listed in the available data, so all versions prior to the fix may be vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability, while the EPSS score is currently unavailable. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need local unprivileged or privileged access to the system running DreamMaker, as the flaw allows reading files without authentication. The lack of a published exploit does not diminish the risk; the ability to read arbitrary files can enable additional attacks such as privilege escalation or reconnaissance of system configuration.

Generated by OpenCVE AI on May 29, 2026 at 14:48 UTC.

Remediation

Vendor Solution

Update to version Java Composer 2.3 or later

OpenCVE Recommended Actions

  • Upgrade to Java Composer 2.3 or later, as released by Interinfo.
  • Restrict local access to the DreamMaker service, ensuring only trusted users or a restricted user account can execute it, and run the application under the least privilege necessary.
  • Monitor system logs for attempts to read unusual file paths that match the pattern of relative path traversal and investigate any such events promptly.

Generated by OpenCVE AI on May 29, 2026 at 14:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Interinfo
Interinfo dreammaker
Vendors & Products Interinfo
Interinfo dreammaker

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing unauthenticated local attackers to exploit Relative Path Traversal to download arbitrary system files.
Title Interinfo|DreamMaker - Arbitrary File Read
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Interinfo Dreammaker
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-05-29T15:26:36.714Z

Reserved: 2026-05-29T08:39:08.294Z

Link: CVE-2026-10073

cve-icon Vulnrichment

Updated: 2026-05-29T15:26:33.626Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T14:16:25.953

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-10073

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:00:17Z

Weaknesses