CVE-2026-2753 - Vulnerability Details

- Absolute Path Traversal Exposes Arbitrary Files in Navtor NavBox

Description

An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP service that fails to properly sanitize user-supplied path input. Unauthenticated remote attackers can exploit this issue by submitting requests containing absolute filesystem paths. Successful exploitation allows the attacker to retrieve arbitrary files from the underlying filesystem, limited only by the privileges of the service process. This can lead to the exposure of sensitive configuration files and system information.

Published: 2026-03-06

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An Absolute Path Traversal flaw in Navtor NavBox allows unauthenticated attackers to read any file on the filesystem that the service process can access. The flaw arises because the HTTP service accepts user-supplied path components without proper sanitization. Successful exploitation can expose configuration files, credentials, and system secrets, compromising confidentiality and potentially integrity of the environment.

Affected Systems

The vulnerability affects Navtor NavBox, specifically version 4.12.0.3 as referenced by the vendor advisory. No other versions were listed, so cases running that exact build are impacted unless updated.

Risk and Exploitability

The CVSS score of 7.5 reflects a high impact with limited privileges. EPSS indicates a low probability (<1%) of exploitation at the time of this assessment, and the advisory is not included in the CISA KEV catalog. Attackers can exploit the flaw remotely without authentication by sending crafted file-path requests to the exposed HTTP endpoint. As the flaw only requires valid network connectivity to the service, safeguarding the service or applying a patch is critical.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Navtor

NavBox

unaffected

Version	Status	Constraints
`4.12.0.3`	affected	—
`4.14.1.2`	unaffected	—

No data.

Vendor Product Confidence Versions

Navtor

Navbox

100%

Version	Status	Scheme	Platform
`4.12.0.3`	affected	generic	—
`4.16.2.4`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Navtor NavBox to a version that resolves the Absolute Path Traversal flaw.
If an update is not immediately available, restrict external access to the vulnerable HTTP service using firewall rules or network segmentation.
Enforce authentication on the HTTP service to prevent unauthenticated requests from reaching the vulnerable endpoint.

Generated by OpenCVE AI on April 16, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00094.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://cydome.io/vulnerability-advisory-cve-2026-2753-in-navtor-navbox-version-4-12-0-3
https://www.navtor.com/navtor-vendor-statement

History

Thu, 16 Apr 2026 11:45:00 +0000

Type	Values Removed	Values Added
Title		Absolute Path Traversal Exposes Arbitrary Files in Navtor NavBox

Tue, 10 Mar 2026 16:00:00 +0000

Type	Values Removed	Values Added
References		https://www.navtor.com/navtor-vendor-statement

Mon, 09 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Navtor Navtor navbox
Vendors & Products		Navtor Navtor navbox

Fri, 06 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP service that fails to properly sanitize user-supplied path input. Unauthenticated remote attackers can exploit this issue by submitting requests containing absolute filesystem paths. Successful exploitation allows the attacker to retrieve arbitrary files from the underlying filesystem, limited only by the privileges of the service process. This can lead to the exposure of sensitive configuration files and system information.
Weaknesses		CWE-36
References		https://cydome.io/vulnerability-advisory-cve-2026-2753-in-navtor-navbox-version-4-12-0-3
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Navtor Navbox

MITRE

Status: PUBLISHED

Assigner: MHV

Published: 2026-03-06T15:04:47.590Z

Updated: 2026-03-10T15:47:41.789Z

Reserved: 2026-02-19T14:48:28.512Z

Link: CVE-2026-2753

Vulnrichment

Updated: 2026-03-09T15:20:15.323Z

NVD

Status : Awaiting Analysis

Published: 2026-03-06T15:16:11.157

Modified: 2026-03-10T18:18:49.827

Link: CVE-2026-2753

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses

CWE-36

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object