Description
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) vulnerability that could cause unauthorized access to sensitive files when user-supplied input is improperly handled during server-side file path processing.
Published: 2026-05-12
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper limitation of a pathname to a restricted directory, allowing an attacker to manipulate file paths and obtain files that should remain hidden. The flaw enables unauthorized access to sensitive files, thereby compromising confidentiality and potentially leading to higher privilege level misuse if those files contain credentials or configuration data. The weakness is a classic path traversal issue identified as CWE-22.

Affected Systems

Affected products are Schneider Electric EasyLogic T150 (formerly Saitel DR) Remote Terminal Unit & Controller and Schneider Electric Saitel DP Remote Terminal Unit & Controller. Version information is not supplied in the advisory, so system administrators should verify the firmware or software revision against the vendor’s release notes to determine if the devices contain the affected code.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is considered high severity, but the EPSS score is currently unavailable, suggesting no known widespread exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog, indicating it has not been observed in malicious exploitation yet. The likely attack vector is remote access over the network, inferred from the description that user-supplied input is processed server‑side; an attacker would need to supply a crafted pathname typically through an exposed interface to trigger the file read.

Generated by OpenCVE AI on May 12, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Schneider Electric firmware or patch for EasyLogic T150 and Saitel DP devices as released by the vendor
  • Configure the devices to enforce strict directory isolation, ensuring that only authorized directories are readable from the server process
  • Implement validation or sanitization of all file path inputs to reject or correct traversal sequences

Generated by OpenCVE AI on May 12, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Schneider-electric
Schneider-electric easylogic T150
Schneider-electric saitel Dp
Vendors & Products Schneider-electric
Schneider-electric easylogic T150
Schneider-electric saitel Dp

Tue, 12 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) vulnerability that could cause unauthorized access to sensitive files when user-supplied input is improperly handled during server-side file path processing.
Title Improper Limitation of a Pathname to a Restricted Directory Vulnerability on Multiple Products
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Schneider-electric Easylogic T150 Saitel Dp
cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-05-12T14:36:00.520Z

Reserved: 2026-04-22T16:17:43.729Z

Link: CVE-2026-6865

cve-icon Vulnrichment

Updated: 2026-05-12T14:35:51.120Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T14:17:10.567

Modified: 2026-05-12T14:19:41.400

Link: CVE-2026-6865

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:38:56Z

Weaknesses