Description
Silverpeas through 6.4.6 mishandles the "Personal space" feature that is selected when no componentId is set.
Published: 2026-06-10
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in Silverpeas’s handling of the Personal space servlet when the componentId parameter is omitted, allowing an attacker to craft a path that resolves to arbitrary files on the server. This path traversal flaw, identified as CWE‑36, can enable unauthorized reading of sensitive files and compromise confidentiality. No direct injection or remote code execution is described, but access to arbitrary file contents can lead to further exploitation such as credential theft or configuration disclosure.

Affected Systems

Silverpeas version 6.4.6 and earlier are affected. The flaw exists in the Silverpeas core web application under the FileServer servlet, which serves user personal spaces. Upgrading to a supported release that contains the patch resolves the issue.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity risk. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The attack vector is likely remote via HTTP requests to the FileServer servlet, and authentication or proper parameter validation is required by the platform; thus the likelihood of exploitation depends on the exposure of the endpoint and the presence of user authentication. Given that the flaw does not require elevated privileges and can be triggered by manipulating the missing componentId, the risk is significant for exposed installations, especially if unrestricted personal space access is enabled.

Generated by OpenCVE AI on June 10, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Silverpeas to a version newer than 6.4.6, as the path traversal bug is addressed in subsequent releases.
  • If an immediate upgrade is not feasible, enforce a non‑empty componentId parameter for personal space requests to prevent the fallback to the default path.
  • Limit access to the FileServer servlet by enabling authentication and restricting directory traversal through server‑side path validation or web‑application configuration.

Generated by OpenCVE AI on June 10, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Title Silverpeas Personal Space Path Traversal Vulnerability

Wed, 10 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Silverpeas through 6.4.6 mishandles the "Personal space" feature that is selected when no componentId is set.
First Time appeared Silverpeas
Silverpeas silverpeas
Weaknesses CWE-36
CPEs cpe:2.3:a:silverpeas:silverpeas:*:*:*:*:*:*:*:*
Vendors & Products Silverpeas
Silverpeas silverpeas
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Silverpeas Silverpeas
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-10T16:12:34.085Z

Reserved: 2026-06-10T00:00:00.000Z

Link: CVE-2026-53698

cve-icon Vulnrichment

Updated: 2026-06-10T16:12:25.436Z

cve-icon NVD

Status : Received

Published: 2026-06-10T16:17:17.240

Modified: 2026-06-10T16:17:17.240

Link: CVE-2026-53698

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T17:45:21Z

Weaknesses