CVE-2021-41323

6.5 MEDIUM

Directory traversal in the Compress feature in Pydio Cells 2.2.9 allows remote authenticated users to overwrite personal files, or Cells ...

Published: 2021-09-30 · Last updated: 2026-06-17

Severity and scoring

CVSS: 6.5 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-22

Affected products

Vendor	Product
pydio	cells

Description

Directory traversal in the Compress feature in Pydio Cells 2.2.9 allows remote authenticated users to overwrite personal files, or Cells files belonging to any user, via the format parameter.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41323
[Other]https://charonv.net/Pydio-Broken-Access-Control/
[Other]https://github.com/pydio/cells/releases/tag/v2.2.12
[Vendor advisory]https://pydio.com/fr/community/releases/pydio-cells/pydio-cells-enterprise-2212
[Other]https://charonv.net/Pydio-Broken-Access-Control/
[Other]https://github.com/pydio/cells/releases/tag/v2.2.12
[Vendor advisory]https://pydio.com/fr/community/releases/pydio-cells/pydio-cells-enterprise-2212

Related CVEs

Same vendor

CVE-2021-41324 — Directory traversal in the Copy, Move, and Delete features in Pydio Cells 2.2.9 allows remote authenticated users to enumerate personal f... (6.5 MEDIUM)
CVE-2021-41325 — Broken access control for user creation in Pydio Cells 2.2.9 allows remote anonymous users to create standard users via the profile param... (6.5 MEDIUM)

Same CWE

CVE-2026-48777 — FileBrowser Quantum is a free, self-hosted, web-based file manager
CVE-2026-8442 — The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8 (8.1 HIGH)
CVE-2026-49766 — Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions (9.9 CRITICAL)
CVE-2026-49061 — Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions (7.5 HIGH)
CVE-2026-40779 — Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions (7.7 HIGH)