Description
REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Version 5.20.2 fixes this issue.
Published: 2026-01-07
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Immediate Patch
AI Analysis

Impact

A path traversal flaw in the Backup add‑on’s file export feature allows an authenticated user with backup permissions to read any file inside the webroot. The flaw exists because the add‑on does not validate the EXPDIR POST parameter against a whitelist, so relative or absolute paths containing "../" sequences can be supplied to include arbitrary files in the generated .tar.gz archive. The vulnerability results in disclosure of sensitive data such as configuration files, passwords, or other locally readable information.

Affected Systems

The issue affects Redaxo CMS deployments running any version prior to 5.20.2. All installations of Redaxo are susceptible unless the Backup add‑on was not installed or the user lacked backup permissions.

Risk and Exploitability

The CVSS base score of 8.3 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The vulnerability was not listed in the CISA KEV catalog. Exploitation requires legitimate authentication and backup permissions, making the attack vector likely an insider or compromised account rather than an unauthenticated remote attacker.

Generated by OpenCVE AI on April 18, 2026 at 16:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Redaxo version 5.20.2 or later to apply the vendor‑provided validation fix for the EXPDIR parameter
  • Disable or uninstall the Backup add‑on when it is not required, and restrict backup permissions to trusted administrators only
  • Monitor audit logs for unusual backup export activity and review user permissions to ensure that only authorized users can initiate file exports

Generated by OpenCVE AI on April 18, 2026 at 16:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-824x-88xg-cwrv Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read
History

Tue, 20 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:redaxo:redaxo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Fri, 09 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Redaxo
Redaxo redaxo
Vendors & Products Redaxo
Redaxo redaxo

Wed, 07 Jan 2026 22:45:00 +0000

Type Values Removed Values Added
Description REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Version 5.20.2 fixes this issue.
Title Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read
Weaknesses CWE-22
CWE-24
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Redaxo Redaxo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T18:17:35.890Z

Reserved: 2026-01-05T16:44:16.367Z

Link: CVE-2026-21857

cve-icon Vulnrichment

Updated: 2026-01-08T15:09:24.426Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T23:15:50.830

Modified: 2026-01-20T18:49:29.420

Link: CVE-2026-21857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses