Description
A flaw has been found in rawchen sims up to 004f783b1db5ecdfad81c8fdc3b34171211112de. Affected by this issue is some unknown functionality of the file sims-master/src/web/servlet/file/DeleteFileServlet.java of the component deleteFileServlet Endpoint. Executing a manipulation of the argument filename can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal Vulnerability
Action: Patch
AI Analysis

Impact

A flaw in the DeleteFileServlet endpoint of rawchen sims allows a malicious actor to manipulate the "filename" parameter, leading to path traversal. This flaw can potentially allow access to files outside the intended directory, thereby compromising file confidentiality and integrity. The vulnerability is classified as a moderate‑severity condition, as reflected by its CVSS score of 5.3.

Affected Systems

The affected product is rawchen:sims, specifically any deployment that includes the file sims-master/src/web/servlet/file/DeleteFileServlet.java and is based on the code commit 004f783b1db5ecdfad81c8fdc3b34171211112de. Versioning is not available, so any installation containing this code before a remediation commit remains susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk level, while the EPSS score of less than 1% suggests a relatively low exploitation probability according to current models. The CVE description notes that an exploit has been published, which indicates that the vulnerability can be used in practice. The attack can be launched remotely, as the flaw occurs within a publicly accessible web endpoint.

Generated by OpenCVE AI on April 28, 2026 at 23:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a patch that sanitizes the filename argument to prevent traversal.
  • Add strict validation in DeleteFileServlet that rejects input containing '..', absolute paths, or other escape characters.
  • Configure the endpoint to operate within a dedicated safe directory and enforce appropriate access control.
  • If the deletion functionality is not required, consider disabling or removing the deleteFileServlet mapping from the web application.

Generated by OpenCVE AI on April 28, 2026 at 23:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Rawchen
Rawchen sims
Vendors & Products Rawchen
Rawchen sims

Mon, 27 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 26 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in rawchen sims up to 004f783b1db5ecdfad81c8fdc3b34171211112de. Affected by this issue is some unknown functionality of the file sims-master/src/web/servlet/file/DeleteFileServlet.java of the component deleteFileServlet Endpoint. Executing a manipulation of the argument filename can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Title rawchen sims deleteFileServlet Endpoint DeleteFileServlet.java path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 5.5, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Rawchen Sims
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T12:44:44.454Z

Reserved: 2026-04-25T14:05:37.645Z

Link: CVE-2026-7024

cve-icon Vulnrichment

Updated: 2026-04-27T12:44:38.926Z

cve-icon NVD

Status : Deferred

Published: 2026-04-26T07:16:03.390

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:45:16Z

Weaknesses