Description
A vulnerability was detected in Foswiki up to 2.1.10. The affected element is an unknown function of the component Changes/Viewfile/Oops. The manipulation results in information disclosure. It is possible to launch the attack remotely. The exploit is now public and may be used. Upgrading to version 2.1.11 is sufficient to fix this issue. The patch is identified as 31aeecb58b64/d8ed86b10e46. Upgrading the affected component is recommended.
Published: 2026-02-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

A flaw in the Foswiki component Changes/Viewfile/Oops allows an attacker to retrieve sensitive data. The vulnerability is triggered by manipulating an unknown function within this element, and the resulting disclosure can expose configuration or user data that should be private. The disclosure originates from a remote interaction, meaning the adversary does not need local access and can exploit the issue from anywhere the application is reachable.

Affected Systems

The affected product is Foswiki, with versions up to 2.1.10 susceptible. All installations of these versions that expose the Changes/Viewfile/Oops endpoint are vulnerable. A patch is available in Foswiki 2.1.11 which removes the vulnerable function.

Risk and Exploitability

The CVSS base score of 6.9 reflects moderate severity; combined with an EPSS below 1%, the likelihood of widespread exploitation is low, and it is not currently listed in the CISA KEV catalog. Nonetheless, the vulnerability is publicly known and could be leveraged remotely by an attacker who can identify the endpoint, making it important to address proactively. The absence of a known remediation in the exploitation reports indicates that attackers would need to discover the function first, but the public nature of the exploit suggests that once found, the attack could be automated.

Generated by OpenCVE AI on April 16, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Foswiki to version 2.1.11 or later to eliminate the vulnerable component.
  • Restrict external access to the /changes/viewfile/oops endpoint via firewall or ACL rules until the patch can be applied.
  • Monitor application logs for suspicious access attempts to the endpoint.

Generated by OpenCVE AI on April 16, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
References

Mon, 16 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
References

Thu, 26 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:foswiki:foswiki:*:*:*:*:*:*:*:*

Mon, 23 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Foswiki
Foswiki foswiki
Vendors & Products Foswiki
Foswiki foswiki

Sat, 21 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Foswiki up to 2.1.10. The affected element is an unknown function of the component Changes/Viewfile/Oops. The manipulation results in information disclosure. It is possible to launch the attack remotely. The exploit is now public and may be used. Upgrading to version 2.1.11 is sufficient to fix this issue. The patch is identified as 31aeecb58b64/d8ed86b10e46. Upgrading the affected component is recommended.
Title Foswiki Changes/Viewfile/Oops information disclosure
Weaknesses CWE-200
CWE-284
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Foswiki Foswiki
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-16T15:24:19.883Z

Reserved: 2026-02-20T14:07:22.958Z

Link: CVE-2026-2861

cve-icon Vulnrichment

Updated: 2026-03-15T16:06:49.184Z

cve-icon NVD

Status : Modified

Published: 2026-02-21T06:17:01.897

Modified: 2026-03-16T16:16:14.070

Link: CVE-2026-2861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:45:25Z

Weaknesses