Description
ZwickRoell Test Data Management versions prior to 3.0.8 contain a local file inclusion (LFI) vulnerability in the /server/node_upgrade_srv.js endpoint. An unauthenticated attacker can supply directory traversal sequences via the firmware parameter to access arbitrary files on the server, leading to information disclosure of sensitive system files.
Published: 2026-03-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

ZwickRoell Test Data Management versions prior to 3.0.8 have a local file inclusion flaw in the /server/node_upgrade_srv.js endpoint. An unauthenticated attacker can supply directory traversal sequences via the firmware parameter to read arbitrary files from the server. This can reveal sensitive system files, exposing confidential information and potentially enabling further compromise. The vulnerability is identified as CWE-22 and scored with a CVSS score of 8.7, indicating high severity.

Affected Systems

All installations of ZwickRoell GmbH & Co. KG Test Data Management running a version earlier than 3.0.8. No specific sub‑versions are listed beyond the <3.0.8 cutoff.

Risk and Exploitability

The CVSS score signals a high risk of exploitation. Although the EPSS score is not available and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, the lack of authentication requirement and the ability to read arbitrary files make exploitation highly plausible for an attacker with network access to the server. The attack vector is likely remote or local within the network, and successful exploitation could lead to full information disclosure of critical system files.

Generated by OpenCVE AI on March 16, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Test Data Management to version 3.0.8 or later.

Generated by OpenCVE AI on March 16, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Zwickroell
Zwickroell test Data Management
Vendors & Products Zwickroell
Zwickroell test Data Management

Mon, 16 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description ZwickRoell Test Data Management versions prior to 3.0.8 contain a local file inclusion (LFI) vulnerability in the /server/node_upgrade_srv.js endpoint. An unauthenticated attacker can supply directory traversal sequences via the firmware parameter to access arbitrary files on the server, leading to information disclosure of sensitive system files.
Title ZwickRoell Test Data Management < 3.0.8 Path Traversal LFI
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Zwickroell Test Data Management
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-17T13:36:22.871Z

Reserved: 2026-03-04T15:39:26.873Z

Link: CVE-2026-29522

cve-icon Vulnrichment

Updated: 2026-03-17T13:36:19.790Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T21:16:33.717

Modified: 2026-03-17T14:20:01.670

Link: CVE-2026-29522

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:46Z

Weaknesses