Description
A vulnerability was detected in projectsend up to r1945. This affects the function realpath of the file /import-orphans.php of the component Delete Handler. Performing a manipulation of the argument files[] results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-12
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal (Remote File Access)
Action: Assess Impact
AI Analysis

Impact

A vulnerability in Projectsend up to revision r1945 allows an attacker to perform a path traversal attack by manipulating the files[] parameter in import-orphans.php. This flaw exploits the realpath function, enabling the attacker to read arbitrary files on the server. Remote exploitation is possible and the exploit is publicly available, potentially compromising confidentiality of sensitive files.

Affected Systems

The affected product is Projectsend, any version up to revision r1945. No specific sub-modules are listed; the path traversal occurs in the Delete Handler component's import-orphans.php script.

Risk and Exploitability

The CVSS score for this issue is 5.1, indicating a moderate severity. The EPSS score is below 1%, suggesting low probability of exploitation, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The exposure is via a web request, so an attacker only needs remote access to the vulnerable endpoint to manipulate the files[] argument and trigger the path traversal. There is no official patch or workaround provided by the vendor, so the risk remains until a newer release or fix is applied.

Generated by OpenCVE AI on March 18, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check your Projectsend version. If it is r1945 or earlier, consider upgrading to a newer release that removes the vulnerable code.
  • If an upgrade is not immediately possible, restrict access to import-orphans.php to trusted administrators or disable the script entirely if not required.
  • Monitor web server logs for suspicious requests to import-orphans.php and investigate any unauthorized file access attempts.
  • Contact the Projectsend maintainers for a patch or further guidance.

Generated by OpenCVE AI on March 18, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in projectsend up to r1945. This affects the function realpath of the file /import-orphans.php of the component Delete Handler. Performing a manipulation of the argument files[] results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title projectsend Delete import-orphans.php realpath path traversal
First Time appeared Projectsend
Projectsend projectsend
Weaknesses CWE-22
CPEs cpe:2.3:a:projectsend:projectsend:*:*:*:*:*:*:*:*
Vendors & Products Projectsend
Projectsend projectsend
References
Metrics cvssV2_0

{'score': 4.7, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:P/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 3.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Projectsend Projectsend
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T15:40:19.925Z

Reserved: 2026-03-12T09:07:40.791Z

Link: CVE-2026-4044

cve-icon Vulnrichment

Updated: 2026-03-12T15:40:15.324Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T16:16:11.863

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-4044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:38Z

Weaknesses