CVE-2026-2976 - Vulnerability Analysis
MediumCVSS: 4.3Last Updated: February 24, 2026
FastApiAdmin - Information Disclosure
Published: February 23, 2026Updated: February 24, 2026PoC AvailableRemote Exploitable
Overview
FastApiAdmin <= 2.2.0 contains an information disclosure vulnerability caused by manipulation of the "file_path" argument in download_controller of /backend/app/api/v1/module_common/file/controller.py, letting remote attackers disclose sensitive information, exploit requires no special privileges.
Severity & Score
Severity: Medium
CVSS Score: 4.3
Impact
Remote attackers can disclose sensitive information by manipulating file_path, potentially exposing confidential data.
Mitigation
Update to the latest version beyond 2.2.0.
References
Related Resources
Details
- CVE ID
- CVE-2026-2976
- Severity
- Medium
- CVSS Score
- 4.3
- Type
- undefined
- Status
- confirmed
CWE
- CWE-200
- CWE-434
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N