Description
A security flaw has been discovered in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This affects an unknown part of the file /api/admin/common/download/templates of the component API. Performing a manipulation of the argument templateName results in path traversal. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.3.3-beta is able to mitigate this issue. The patch is named aefaabfd7527188bfba3c8c9eee17c316d094802. It is recommended to upgrade the affected component. The project was informed beforehand and acted very professional: "We have implemented path validity checks on parameters for the template download interface (...)"
Published: 2026-02-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read via Path Traversal
Action: Patch
AI Analysis

Impact

The vulnerability is a path traversal flaw in the API endpoint /api/admin/common/download/templates of feiyuchuixue sz-boot-parent. Manipulating the templateName parameter allows attackers to read arbitrary files on the host, resulting in unauthorized data disclosure. The flaw is a typical CWE-22 path traversal and is rated with a CVSS 5.3 score, indicating medium severity.

Affected Systems

Affected versions are feiyuchuixue sz-boot-parent up to 1.3.2‑beta. The remediation is available in the 1.3.3‑beta release, which implements path validity checks for the template download interface.

Risk and Exploitability

The flaw can be exploited remotely by sending crafted requests to the vulnerable API. While the EPSS score is below 1% and the vulnerability is not listed in CISA's KEV catalog, an exploit has been made publicly available. The risk is moderate, and the impact is unauthorized reading of files that may contain sensitive information. Applying the official patch is the recommended mitigation.

Generated by OpenCVE AI on April 18, 2026 at 10:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to sz-boot-parent 1.3.3‑beta, which adds path validation on templateName.
  • If an immediate upgrade is not possible, restrict or disable the /api/admin/common/download/templates endpoint or enforce strict authentication so that only trusted administrators can access it.
  • Restrict access to the vulnerable endpoint to internal networks or enforce stricter network controls such as firewall rules to limit potential attackers.

Generated by OpenCVE AI on April 18, 2026 at 10:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Feiyuchuixue
Feiyuchuixue sz-boot-parent
Vendors & Products Feiyuchuixue
Feiyuchuixue sz-boot-parent

Wed, 25 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This affects an unknown part of the file /api/admin/common/download/templates of the component API. Performing a manipulation of the argument templateName results in path traversal. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.3.3-beta is able to mitigate this issue. The patch is named aefaabfd7527188bfba3c8c9eee17c316d094802. It is recommended to upgrade the affected component. The project was informed beforehand and acted very professional: "We have implemented path validity checks on parameters for the template download interface (...)"
Title feiyuchuixue sz-boot-parent API templates path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Feiyuchuixue Sz-boot-parent
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-27T16:52:23.121Z

Reserved: 2026-02-25T08:32:13.474Z

Link: CVE-2026-3188

cve-icon Vulnrichment

Updated: 2026-02-27T16:51:55.843Z

cve-icon NVD

Status : Deferred

Published: 2026-02-25T16:23:30.203

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3188

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses