Description
A flaw was found in Pagure's rendering engine for reStructuredText (RST) files. An authenticated user can exploit an unrestricted `.. include::` directive within RST files to read arbitrary internal files from the server hosting Pagure. This information disclosure vulnerability allows unauthorized access to sensitive data on the server.
Published: n/a
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability is in Pagure’s reStructuredText (RST) rendering engine. An authenticated user can use an unrestricted ‘.. include::’ directive to read any internal file on the server hosting Pagure, leading to disclosure of sensitive data. The weakness corresponds to a path traversal condition (CWE‑22). This allows an attacker with edit rights to access files that should remain confidential, potentially exposing configuration, credentials, or other private information.

Affected Systems

Any Pagure installation that uses the default RST rendering engine without restrictions on the include directive is potentially affected. No specific version numbers are provided, so all instances that permit authenticated users to create or edit RST files could be vulnerable.

Risk and Exploitability

The CVSS score is 7.7, indicating high severity for confidentiality. Existence of an EPSS score is not reported and the vulnerability is not listed in the KEV catalog. Exploitation requires an authenticated attacker, typically someone with permission to add or modify RST content. The attack vector is therefore an authenticated internal user or a compromised account. Once exploited, the attacker can read arbitrary files, compromising confidentiality of the system.

Generated by OpenCVE AI on March 17, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply any available Pagure update or patch that restricts the ‘.. include::’ directive in RST files.
  • If no patch is available, configure the RST rendering engine to disable or limit the include directive.
  • Restrict editing rights to RST files to only users who require them and audit permissions regularly.
  • Monitor Pagure logs for unexpected use of the ‘.. include::’ directive or attempts to read files.

Generated by OpenCVE AI on March 17, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Pagure
Pagure pagure
Vendors & Products Pagure
Pagure pagure

Tue, 17 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Pagure's rendering engine for reStructuredText (RST) files. An authenticated user can exploit an unrestricted `.. include::` directive within RST files to read arbitrary internal files from the server hosting Pagure. This information disclosure vulnerability allows unauthorized access to sensitive data on the server.
Title pagure: Pagure: Information disclosure via unrestricted reStructuredText include directive
Weaknesses CWE-22
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

threat_severity

Moderate

Subscriptions

Pagure Pagure
cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-13T00:00:00Z

Links: CVE-2026-3312 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:31:49Z

Weaknesses