bolo-solo bolo-solo V2.6.4 Arbitrary file writeinfo

Titel	https://github.com/bolo-blog/bolo-solo bolo-solo V2.6.4 Arbitrary file write
Beschreibung	A critical arbitrary file write vulnerability exists in Bolo-Solo version 2.6.4. The /import/cnblogs endpoint fails to properly validate or sanitize user-supplied filenames during blog import operations. As a result, an unauthenticated remote attacker can craft a malicious HTTP request that writes arbitrary content to any writable location on the server filesystem. The application directly uses attacker-controlled input as part of the file path without canonicalization, validation, or restriction to a safe directory. This allows directory traversal (e.g., using sequences like ../) and ultimately enables overwriting or creating files such as web-accessible scripts (e.g., .jsp, .html, or configuration files), leading to remote code execution, data tampering, or full system compromise.
Quelle	⚠️ https://github.com/bolo-blog/bolo-solo/issues/328
Benutzer	MaoQiu (UID 94327)
Einreichung	20.01.2026 07:44 (vor 5 Monaten)
Moderieren	03.02.2026 15:04 (14 days later)
Status	Akzeptiert
VulDB Eintrag	343980 [bolo-blog bolo-solo bis 2.6.4 Filename BackupService.java importFromCnblogs Datei Directory Traversal]
Punkte	20

Do you want to use VulDB in your project?

Use the official API to access entries easily!