Description
UBB.threads is vulnerable to Path traversal, allowing attackers with privilege to edit templates to read and write any file on the application’s server that application has privileges to, what results in Remote Code Execution. 
Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.
Published: 2026-06-18
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

UBB.threads suffers from a path‑traversal flaw that lets an authenticated user with permission to edit templates read and write any file that the application process can access. Exploiting the vulnerability can grant the attacker the ability to execute arbitrary code on the host, effectively compromising the entire server. According to the CVE description, the weakness aligns with CWE‑22, which represents an insecure handling of file paths.

Affected Systems

The vulnerability has been confirmed in UBB Systems’ UBB.threads version 7.7.5. While other releases may be impacted, no further version information is available. Administrators of UBB.threads installations should verify the exact version they are running and determine whether it is 7.7.5 or an earlier release that could be affected.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity, with the likelihood of exploitation amplified by the need for privileged access to edit templates. The EPSS score is not available, so the current exploitation probability cannot be quantified; however, the flaw was publicly announced and documented on CERT and the vendor’s website, making it highly visible to attackers. Because the vulnerability is not listed in CISA’s KEV catalog, it has not yet been confirmed as exploited in the wild, but the high CVSS and the nature of the flaw warrant immediate attention.

Generated by OpenCVE AI on June 18, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update UBB.threads to the latest release that contains the fix for the path‑traversal vulnerability.
  • Restrict template editing permissions to trusted accounts, ensuring that only privileged users can modify template files.
  • Monitor file system access and application logs for anomalous read/write activity on critical files.

Generated by OpenCVE AI on June 18, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description UBB.threads is vulnerable to Path traversal, allowing attackers with privilege to edit templates to read and write any file on the application’s server that application has privileges to, what results in Remote Code Execution.  Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions.
Title Remote Code Execution via arbitrary file read and write in UBB.threads
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-18T13:11:19.103Z

Reserved: 2026-06-12T11:03:23.916Z

Link: CVE-2026-54223

cve-icon Vulnrichment

Updated: 2026-06-18T13:11:14.534Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:30:05Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')