CVE-2026-53698
6.5 MEDIUMSilverpeas through 6.4.6 mishandles the "Personal space" feature that is selected when no componentId is set
Published: 2026-06-10 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-36
Description
Silverpeas through 6.4.6 mishandles the "Personal space" feature that is selected when no componentId is set.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-53698
- [Other]https://github.com/Silverpeas/Silverpeas-Core/blob/983c5d07928b8a5ddcb39cc17d7fb9a0d87019b9/core-war/src/main/java/org/silverpeas/web/servlets/FileServer.java#L120-L122
- [Other]https://github.com/Silverpeas/Silverpeas-Core/blob/983c5d07928b8a5ddcb39cc17d7fb9a0d87019b9/core-war/src/main/java/org/silverpeas/web/servlets/FileServer.java#L150-L153
- [Other]https://github.com/Silverpeas/Silverpeas-Core/commit/caa6e6d1ac967ebd29b39e11c2ef5e7fd0047eec
- [Other]https://tracker.silverpeas.org/issues/15229
Related CVEs
Same CWE
- CVE-2026-10075 — DreamMaker developed by Interinfo has a Path Traversal vulnerability, allowing unauthenticated remote attackers to read file names under ... (5.3 MEDIUM)
- CVE-2026-10044 — Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vulnerability in the GET /api/prompts/{filename} endpoint on... (7.5 HIGH)
- CVE-2026-32997 — A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup & ...
- CVE-2026-2753 — An Absolute Path Traversal vulnerability exists in Navtor NavBox (7.5 HIGH)