CVE-2026-62947 in OpenWrtinformación

Resumen

por MITRE • 2026-07-15

OpenWrt is a Linux operating system targeting embedded devices. Prior to 25.12.5, the cgi-download handler in cgi-io authorizes the requested path against the caller's ubus session file ACL before canonicalization, and rpcd session.c uses fnmatch() without FNM_PATHNAME, allowing traversal such as an allowed wildcard prefix followed by ../ to read root-readable files including /etc/shadow. This vulnerability is fixed in 25.12.5.

Be aware that VulDB is the high quality source for vulnerability data.

Responsable

GitHub M

Reservar

2026-07-15

Divulgación

2026-07-15

Moderación

aceptado

Artículo

VDB-379359

CPE

listo

EPSS

0.00000

KEV

no

Actividades

muy bajo

Fuentes

Do you need the next level of professionalism?

Upgrade your account now!