Description
MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter allows writing files to arbitrary locations as well as indirect disclosure of absolute server paths through error messages.

Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Published: 2026-07-01
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability stems from improper validation of the filename parameter used by MCO during data export and file upload operations. The flaw allows an attacker to write files to arbitrary locations on the server’s file system and to obtain indirect disclosure of the server’s absolute paths through error messages, representing a moderate-level information disclosure and potential read/write compromise of system files.

Affected Systems

The affected product is MyComplianceOffice MCO. Confirmation exists for version 25.3.3.1, and the issue may also affect other, currently unspecified, releases of the product.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.1, indicating a moderate risk. EPSS data is unavailable, and the issue is not listed in the CISA KEV catalog. Attackers could exploit the file export/upload functionality to supply crafted filenames, provoking the vulnerability, and thereby create or overwrite files in privileged directories. Because the flaw also leaks absolute paths in error messages, the attacker could further refine their attack in a local environment.

Generated by OpenCVE AI on July 1, 2026 at 16:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MCO to a patched version that addresses the filename validation flaw.
  • Validate and sanitize filenames on export and upload; restrict allowed extensions and enforce a whitelist of safe directories.
  • Disable detailed error messages that reveal absolute server paths to prevent accidental leakage of sensitive information.

Generated by OpenCVE AI on July 1, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 12:45:00 +0000

Type Values Removed Values Added
Description MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter allows writing files to arbitrary locations as well as indirect disclosure of absolute server paths through error messages. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Title Path Disclosure and Path Traversal in MCO
Weaknesses CWE-209
CWE-22
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-07-01T13:39:18.244Z

Reserved: 2026-06-11T07:44:52.179Z

Link: CVE-2026-53906

cve-icon Vulnrichment

Updated: 2026-07-01T13:39:12.704Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T17:00:05Z

Weaknesses
  • CWE-209

    Generation of Error Message Containing Sensitive Information

  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')