CVE-2026-2753
7.5 HIGHAn Absolute Path Traversal vulnerability exists in Navtor NavBox
Published: 2026-03-06 · Last updated: 2026-06-05
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-36
Affected products
| Vendor | Product |
|---|---|
| navtor | navbox_firmware |
Description
An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP service that fails to properly sanitize user-supplied path input. Unauthenticated remote attackers can exploit this issue by submitting requests containing absolute filesystem paths. Successful exploitation allows the attacker to retrieve arbitrary files from the underlying filesystem, limited only by the privileges of the service process. This can lead to the exposure of sensitive configuration files and system information.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-2754 — Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints (7.5 HIGH)
Same CWE
- CVE-2026-53698 — Silverpeas through 6.4.6 mishandles the "Personal space" feature that is selected when no componentId is set (6.5 MEDIUM)
- CVE-2026-10075 — DreamMaker developed by Interinfo has a Path Traversal vulnerability, allowing unauthenticated remote attackers to read file names under ... (5.3 MEDIUM)
- CVE-2026-10044 — Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vulnerability in the GET /api/prompts/{filename} endpoint on... (7.5 HIGH)
- CVE-2026-32997 — A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup & ...