The vulnerability is a path traversal flaw in the inc "filename" directive of SolidCAM‑GPPL‑IDE, an unofficial Postprocessor IDE for SolidCAM. The directive accepts arbitrary path strings—including absolute paths, relative paths with parent-directory segments, and UNC paths—and uses them to resolve VS Code document links. As a result, the handler performs file existence probing on arbitrary local files and on remote UNC shares, exposing whether a file exists and, in the case of UNC probing, leaking NTLM hashes of the underlying Windows system. These capabilities provide an attacker with a mechanism to glean sensitive filesystem information and potentially capture authentication credentials, falling under information disclosure weaknesses.

The issue affects versions 1.0.0 through 1.0.1 of SolidCAM‑GPPL‑IDE released by anzory. The formal product name is SolidCAM‑GPPL‑IDE, and only the v1.0.2 release and later contain the patch that restricts the allowable paths.

The CVSS score of 5.1 indicates moderate severity. The current EPSS information is unavailable, and the vulnerability is not present in the CISA KEV catalog, suggesting no known widespread exploitation yet. An attacker can exploit the flaw by crafting a GPPL postprocessor file with a malicious inc directive, causing the IDE to probe local files and UNC paths; if the victim opens that file, the handler will access the filesystem or remote share, revealing file existence and NTLM hash information. The attack requires the victim to have the vulnerable IDE installed and to open a crafted file, but does not require privileged access on the target system.