CVE-2026-6487 - Vulnerability Details

- Qihui jtbc5 CMS Code Endpoint manage.php path traversal

Description

A flaw has been found in Qihui jtbc5 CMS 5.0.3.6. Affected is an unknown function of the file /dev/code/common/diplomat/manage.php of the component Code Endpoint. This manipulation of the argument path causes path traversal. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-17

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw has been identified in the Qihui jtbc5 CMS that allows an attacker to manipulate the path argument in the /dev/code/common/diplomat/manage.php endpoint. This manipulation results in a path traversal condition, permitting the attacker to read files outside the intended directory or potentially overwrite files if write permissions exist. The vulnerability can be exploited remotely, and an exploitation technique has already been published.

Affected Systems

The affected product is Qihui jtbc5 CMS, specifically version 5.0.3.6. The vulnerability resides in the Code Endpoint component located at /dev/code/common/diplomat/manage.php.

Risk and Exploitability

The CVSS score of 5.3 places the issue in the moderate severity range. While the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the fact that the attack is remote and that an exploit is publicly known indicates that there is a realistic risk of abuse. The path traversal can lead to unauthorized file disclosure or modification, potentially compromising system integrity and confidentiality.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Qihui

jtbc5 CMS

affected

Version	Status	Constraints
`5.0.3.6`	affected	—

No data.

Vendor Product Confidence Versions

Qihui

Jtbc5 Cms

100%

Version	Status	Scheme	Platform
`5.0.3.6`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor patch or upgrade that addresses the path traversal in Qihui jtbc5 CMS 5.0.3.6.
Restrict file system permissions for the CMS so that the web process cannot read or write outside its intended directories.
Validate and sanitize the 'path' argument in manage.php to reject references to parent directories or disallowed paths.
Implement a web application firewall rule that blocks requests containing '..' or other path traversal patterns.
Monitor web server logs for attempted traversal activity and investigate any suspicious requests.

Generated by OpenCVE AI on April 18, 2026 at 09:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0005.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://tcn60zf28jhk.feishu.cn/wiki/CnpvwDdyOi5PXOk8X1fcorudnSv?from=from_copylink
https://vuldb.com/submit/786183
https://vuldb.com/vuln/358028
https://vuldb.com/vuln/358028/cti

History

Fri, 17 Apr 2026 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Qihui Qihui jtbc5 Cms
Vendors & Products		Qihui Qihui jtbc5 Cms

Fri, 17 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 17 Apr 2026 12:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in Qihui jtbc5 CMS 5.0.3.6. Affected is an unknown function of the file /dev/code/common/diplomat/manage.php of the component Code Endpoint. This manipulation of the argument path causes path traversal. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Qihui jtbc5 CMS Code Endpoint manage.php path traversal
Weaknesses		CWE-22
References		https://tcn60zf28jhk.feishu.cn/wiki/CnpvwDdyOi5PXOk8X1fcorudnSv?from=from_copylink https://vuldb.com/submit/786183 https://vuldb.com/vuln/358028 https://vuldb.com/vuln/358028/cti
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Qihui Jtbc5 Cms

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-17T12:30:39.824Z

Updated: 2026-04-17T13:18:00.383Z

Reserved: 2026-04-17T07:00:53.108Z

Link: CVE-2026-6487

Vulnrichment

Updated: 2026-04-17T13:17:58.167Z

NVD

Status : Deferred

Published: 2026-04-17T13:16:14.427

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6487

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object