The vulnerability in the Hyland Alfresco Transformation Service allows an attacker without authentication to read any file on the hosting system via an absolute path traversal in the service’s request handling, and to craft requests that reach internal or external servers through Server‑Side Request Forgery. This is a classic path‑traversal weakness numbered CWE‑36, and it can lead to disclosure of sensitive configuration or credential files as well as enabling further lateral movement or exfiltration through forged requests.

Hyland Alfresco Community (Transform Core) and Hyland Alfresco Transformation Service (Enterprise) are impacted. No specific patch level is mentioned in the advisory, so all deployed instances of these products remain vulnerable until an official release addresses the issue.

The CVSS score of 8.8 classifies the flaw as high severity. The EPSS score of less than 1% indicates that real‑world exploitation is unlikely but not impossible, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers can likely exploit the flaw by sending crafted HTTP requests to the transformation endpoint, and because no authentication is required, the attack surface is broad. The risk to an organization depends on network exposure of the service; an internal or externally reachable instance increases the threat.