cbcvebase.
CVE-2026-21620
published 2026-02-20

CVE-2026-21620: Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file…

PriorityP417low2.3CVSS 4.0
AVNACLATPPRLUINVCLVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.46%
36.6th percentile
Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl. This issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianerlang< erlang 1:27.3.4.8+dfsg-1 (forky)erlang 1:27.3.4.8+dfsg-1 (forky)
erlangotp>= 07b8f441ca711f9812fad9e9115bab3c3aa92f79 < **
erlangotp>= 1.0 < **
erlangotp>= 17.0 < **
erlangotp>= 5.10 < 7.07.0
msrcazl3_erlang_26.2.5.15-1_on_azure_linux_3.0
msrccbl2_erlang_25.3.2.21-4_on_cbl_mariner_2.0
msrccbl2_erlang_25.3.2.21-5_on_cbl_mariner_2.0

CVSS provenance

nvdv4.02.3LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv2.3LOW
vendor_debian2.3LOW
vendor_msrc2.3LOW
vendor_redhat2.3LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.