Impact
A path traversal flaw in the AIL Framework allows an authenticated user to supply specially crafted investigation identifiers that cause the application to resolve file paths outside of the intended image, favicon, or screenshot storage directories. This defect lets the attacker download and read any file that the AIL process can access, potentially exposing sensitive data. The weakness is a classic File Path Traversal (CWE‑22).
Affected Systems
The vulnerability affects the AIL Framework from the ail project. No specific version range is listed beyond the note that the issue is fixed in the commit with identifier 0041456af25da0cdea1c1c4624e46baff2731d8f. Users running a delivery of the framework that predates this commit are potentially impacted.
Risk and Exploitability
The CVSS score of 8.3 indicates a high severity. No EPSS score is available, so the probability of exploitation cannot be quantified, and the vulnerability is not yet listed in CISA’s KEV catalog. Exploitation requires authentication and a legitimate lookup of an investigation, implying an internal or privileged user could use the flaw. Once authenticated, an attacker can craft identifiers to include any path component, leading to the execution of a download that contains arbitrary file contents bundled into an archive.
OpenCVE Enrichment