Description
DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing privileged local attackers to exploit Relative Path Traversal to download arbitrary system files.
Published: 2026-05-29
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A relative path traversal flaw in Interinfo DreamMaker allows a privileged local attacker to read any file on the underlying system. The vulnerability is a classic CWE‑23 "Path Traversal" flaw that can compromise confidentiality by exposing sensitive files such as configuration data, user credentials, or system binaries. The impact is limited to attackers who already have local execution privileges, but the ability to read arbitrary files can enable further lateral movement or escalation if system files are accessed.

Affected Systems

The flaw affects Interinfo DreamMaker. No specific product versions are listed in the data, so all unreleased or earlier releases prior to the vendor’s update may be vulnerable. The vendor’s recommended remediation is to upgrade to Java Composer 2.3 or later, which includes the necessary fix.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited publicly known exploitation. The attacker must have local privileged access to exploit the path traversal; therefore the primary risk is internal attackers or those who gain local control. Once the application is updated, the risk is eliminated.

Generated by OpenCVE AI on May 29, 2026 at 14:47 UTC.

Remediation

Vendor Solution

Update to version Java Composer 2.3 or later

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch by upgrading to Java Composer 2.3 or higher
  • Restrict local privileged accounts from using the DreamMaker interface or remove the application from systems where it is not required
  • Review and harden file access permissions to ensure that even if traversal occurs, sensitive files are protected

Generated by OpenCVE AI on May 29, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Interinfo
Interinfo dreammaker
Vendors & Products Interinfo
Interinfo dreammaker

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing privileged local attackers to exploit Relative Path Traversal to download arbitrary system files.
Title Interinfo|DreamMaker - Arbitrary File Read
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Interinfo Dreammaker
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-05-29T15:25:50.512Z

Reserved: 2026-05-29T08:39:09.388Z

Link: CVE-2026-10074

cve-icon Vulnrichment

Updated: 2026-05-29T15:25:47.582Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T14:16:26.097

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-10074

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:15:46Z

Weaknesses