CRITICAL🇵🇱 Wersja polska

CVE-2026-8326

CVSS 10.0v4.0pub. 2026-05-29

Path traversal vulnerability in Remote Spark (https://www.Remotespark.Com/) SparkView allows reading and writing arbitrary files in all directories as root. This leads to RCE. The affected component is the RDP drive redirection.  Depending on implementation, the vulnerability can be exploited by an unauthenticated attacker. This issue affects SparkView: before build 1127.

🤖 AI Analysis
How it works

The vulnerability (CWE-23) consists of improper neutralization of path traversal sequences in the module handling RDP drive redirection. An attacker can craft an appropriate request containing sequences that allow escaping the permitted directory (e.g., '../'), enabling access to any location in the file system. The ability to write files with root privileges enables placement of malicious code or overwriting of critical system files, leading to complete server takeover (RCE).

Impact

An attacker can read and write arbitrary files on the server with root privileges, which consequently enables remote code execution and complete takeover of the system and potentially associated infrastructure.

Mitigation & patch

SparkView should be updated to build 1127 or later as soon as possible. Detailed information about the update is available in the vendor's references: https://www.remotespark.com/view/new.html

Who is affected

Remote Spark SparkView in all versions before build 1127 — affects the RDP drive redirection component.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path TraversalAuth Bypass
CWE
References