CVE-2026-0804
6.7 MEDIUMAn ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege e...
Published: 2026-05-12 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 6.7 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-35
Affected products
| Vendor | Product |
|---|---|
| axis | axis_os |
Description
An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-1185 — A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to priv... (5.4 MEDIUM)
- CVE-2026-0802 — An ACAP configuration file lacked sufficient input validation, which could allow command injection and potentially lead to privilege esca... (6.0 MEDIUM)
- CVE-2026-0541 — ACAP applications can gain elevated privileges due to improper input validation during the installation process, potentially leading to p... (6.7 MEDIUM)
Same CWE
- CVE-2026-52703 — Unauthenticated Path Traversal in FastDup <= 2.7.2 versions (9.6 CRITICAL)
- CVE-2026-49112 — Unauthenticated Path Traversal in Shared Files <= 1.7.64 versions (7.5 HIGH)
- CVE-2026-42661 — Custom role Path Traversal in WP Customer Area <= 8.3.4 versions (8.8 HIGH)
- CVE-2026-40128 — SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that man... (9.0 CRITICAL)
- CVE-2026-24315 — SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened ... (4.2 MEDIUM)