MEDIUM🇵🇱 Wersja polska

CVE-2026-46747

CVSS 5.3v4.0pub. 2026-06-09upd. 2026-06-12

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application does not properly sanitize path input in the `GET /api/sftp/uploadFiles` endpoint used for directory listing. This allows path traversal through crafted input, enabling access to unintended file system locations.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Siemens Sinec Ins

    APP
    Siemens
    1.0≤ 1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2024-46888CRITICAL9.4PL ✓ten sam produkt

Path Traversal w SINEC INS umożliwia RCE przez SFTP

CVE-2024-46890CRITICAL9.4PL ✓ten sam produkt

Command injection w Siemens SINEC INS – wykonanie kodu na systemie operacyjnym

CVE-2022-45092CRITICAL9.9ten sam produkt

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 1). An authenticated remote a...

CVE-2022-35255CRITICAL9.1ten sam produkt

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() ...

CVE-2021-22945CRITICAL9.1ten sam produkt

When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep...