Description
Directory Traversal vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the UserName parameter
Published: 2026-05-22
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a directory traversal flaw that allows a remote attacker to manipulate the UserName parameter and access arbitrary files on the server. If exploited, the attacker can read sensitive configuration files and execute arbitrary code remotely, compromising the confidentiality, integrity, and availability of the Easy Chat Server and potentially the underlying host system. The weakness is rooted in improper input validation, enabling traversal beyond the intended directory.

Affected Systems

Easy Chat Server 3.1 is affected. No other vendors or product versions are listed.

Risk and Exploitability

The CVSS score is 6.5, but the absence of an EPSS value indicates limited publicly available exploitation data. Since the vulnerability allows remote code execution through a web-facing input, the potential for exploitation is high regardless of the EPSS metric. The vulnerability is not listed in the CISA KEV catalogue, which suggests it may not yet have widespread exploits, yet the impact remains severe if an attacker can target the affected instance.

Generated by OpenCVE AI on May 22, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest patch or upgrade to a fixed version of Easy Chat Server.
  • If a patch is not available, enforce strict validation on the UserName parameter to allow only alphanumeric characters and reject any path traversal characters such as "../" or "/".
  • Configure the filesystem permissions so that the application process cannot read or execute files outside its intended directory.
  • Restrict network exposure by limiting access to the chat server to trusted IP ranges or placing it behind a firewall to reduce the attack surface.

Generated by OpenCVE AI on May 22, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Directory Traversal via UserName Enables Remote Code Execution in Easy Chat Server 3.1

Fri, 22 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Directory Traversal and Arbitrary Code Execution via UserName Parameter in Easy Chat Server 3.1
Weaknesses CWE-20

Fri, 22 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Directory Traversal and Arbitrary Code Execution via UserName Parameter in Easy Chat Server 3.1
Weaknesses CWE-20

Fri, 22 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Directory Traversal vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the UserName parameter
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-22T17:32:04.206Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36227

cve-icon Vulnrichment

Updated: 2026-05-22T17:31:57.130Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T21:30:16Z

Weaknesses