Home / Vulnerability Intelligence / CVE-2026-5027

CVE-2026-5027 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 30, 2026

Application - Path Traversal

Published: March 27, 2026Updated: March 30, 2026Remote Exploitable

Overview

The application contains a path traversal vulnerability caused by unsanitized 'filename' parameter in the 'POST /api/v2/files' multipart form data, letting attackers write files to arbitrary filesystem locations, exploit requires crafted request.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 5.4%(Probability of exploitation in next 30 days)

Impact

Attackers can write files to arbitrary locations, potentially leading to system compromise or data tampering.

Mitigation

Sanitize the 'filename' parameter to prevent path traversal or update to the latest secure version.

References

https://www.tenable.com/security/research/tra-2026-26

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 27, 2026

🟠 CVE-2026-5027 - High (8.8) The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../'). 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-5027/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-5027
Severity: High
CVSS Score: 8.8
Type: path_traversal
Status: unconfirmed
EPSS: 5.4%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

5.4%Probability of exploitation in the next 30 days