Description
Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in version 1.6.4.
Published: 2026-03-06
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability originates from a chained import file write and template path traversal flaw that allows an attacker to execute arbitrary code on the host. The weakness is identified as CWE-78, reflecting improper handling of system command execution or file paths. An attacker can leverage this flaw to write malicious files to the server’s file system and then load them as templates, effectively achieving full control over the targeted installation.

Affected Systems

The affected product is idno, a social publishing platform. All releases prior to version 1.6.4 are vulnerable. The issue was addressed in release 1.6.4, so any instance running an earlier version should be considered at risk.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity impact. EPSS is below 1%, suggesting that the probability of exploitation observed in the wild is low at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, performed via the web interface, requiring the ability to submit import files and influence template paths. Although no public exploits have been documented, the combination of a remote entry point and the potential to gain code execution warrants immediate attention.

Generated by OpenCVE AI on April 16, 2026 at 11:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade idno to version 1.6.4 or later
  • If an immediate upgrade is infeasible, disable or restrict the import file functionality to prevent arbitrary file writes
  • Restrict template path access and enforce strict input validation to eliminate path traversal and command execution

Generated by OpenCVE AI on April 16, 2026 at 11:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-37j7-56xc-c468 Idno Vulnerable to Remote Code Execution via Chained Import File Write and Template Path Traversal
History

Mon, 16 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Withknown
Withknown known
CPEs cpe:2.3:a:withknown:known:*:*:*:*:*:*:*:*
Vendors & Products Withknown
Withknown known
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Idno
Idno idno
Vendors & Products Idno
Idno idno

Fri, 06 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in version 1.6.4.
Title Idno: Remote Code Execution via Chained Import File Write and Template Path Traversal
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N'}

Subscriptions

Idno Idno
Withknown Known
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:08:06.876Z

Reserved: 2026-02-27T20:57:47.709Z

Link: CVE-2026-28507

cve-icon Vulnrichment

Updated: 2026-03-06T15:58:18.762Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T05:16:32.073

Modified: 2026-03-16T14:43:24.713

Link: CVE-2026-28507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:45:26Z

Weaknesses