CVE-2026-9550 - Vulnerability Details

- Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform upfile path traversal

Description

A vulnerability was determined in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. Affected by this issue is some unknown functionality of the file /SubstationWEBV2/app/..;/main/upfile. Executing a manipulation of the argument path can lead to path traversal. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-26

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the upload endpoint at /SubstationWEBV2/app/..;/main/upfile, where unsanitized path arguments can cause a directory traversal. An attacker can supply crafted values that resolve to files outside the intended upload directory, potentially exposing or modifying system files. The impact is limited to remote file system access; confidentiality and integrity of critical files could be compromised, but it does not directly allow arbitrary code execution. The flaw aligns with CWE‑22, which describes insufficient validation of file name arguments.

Affected Systems

The affected product is Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform, specifically version 1.3.0. No other versions or vendors are listed, so the issue appears confined to this release.

Risk and Exploitability

The CVSS score of 6.9 reflects a moderate severity, and the EPSS score is not available at this time. The vulnerability is not listed in the CISA KEV catalog, indicating no known public exploitation campaigns have been recorded yet. However, the ability to manipulate a path remotely is a significant threat vector that could lead to unauthorized file access if exploited.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Acrel Electrical

EEMS Enterprise Power Operation and Maintenance Cloud Platform

affected

Version	Status	Constraints
`1.3.0`	affected	—

No data.

Vendor Product Confidence Versions

Acrel Electrical

Eems Enterprise Power Operation And Maintenance Cloud Platform

95%

Version	Status	Scheme	Platform
`1.3.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor‑released patch or upgrade to a version that fixes the path traversal issue.
If no patch is available, temporarily disable the /SubstationWEBV2/app/..;/main/upfile upload endpoint until remediation is applied.
Implement server‑side validation to reject any path strings containing traversal sequences such as ".." or absolute paths, and ensure uploads are confined to a dedicated directory with strict permissions.

Generated by OpenCVE AI on May 26, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://ucn9h68n9289.feishu.cn/wiki/FC6swHuyqiLVyfkwKcNc8sCjnfb
https://vuldb.com/submit/815455
https://vuldb.com/vuln/365609
https://vuldb.com/vuln/365609/cti

History

Tue, 26 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 26 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. Affected by this issue is some unknown functionality of the file /SubstationWEBV2/app/..;/main/upfile. Executing a manipulation of the argument path can lead to path traversal. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform upfile path traversal
First Time appeared		Acrel Electrical Acrel Electrical eems Enterprise Power Operation And Maintenance Cloud Platform
Weaknesses		CWE-22
CPEs		cpe:2.3:a:acrel_electrical:eems_enterprise_power_operation_and_maintenance_cloud_platform::::::::
Vendors & Products		Acrel Electrical Acrel Electrical eems Enterprise Power Operation And Maintenance Cloud Platform
References		https://ucn9h68n9289.feishu.cn/wiki/FC6swHuyqiLVyfkwKcNc8sCjnfb https://vuldb.com/submit/815455 https://vuldb.com/vuln/365609 https://vuldb.com/vuln/365609/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Acrel Electrical Eems Enterprise Power Operation And Maintenance Cloud Platform

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-26T13:30:39.652Z

Updated: 2026-05-26T16:19:35.607Z

Reserved: 2026-05-26T07:14:38.676Z

Link: CVE-2026-9550

Vulnrichment

Updated: 2026-05-26T16:19:20.544Z

NVD

Status : Received

Published: 2026-05-26T15:16:58.000

Modified: 2026-05-26T15:16:58.000

Link: CVE-2026-9550

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T16:30:09Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object