CVE-2026-6282
published 2026-05-13CVE-2026-6282: A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user…
PriorityP351high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.39%
30.9th percentile
A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lenovo | home_storage_hub_t20 | < 5.5.8.t20.1 | 5.5.8.t20.1 |
| lenovo | home_storage_hub_x20 | < 5.4.4.x20.1 | 5.4.4.x20.1 |
| lenovo | personal_cloud_a1 | <= 5.4.2.a1.3 | — |
| lenovo | personal_cloud_a1s | <= 5.5.6.a1s | — |
| lenovo | personal_cloud_t1 | <= 5.4.0.t1.6 | — |
| lenovo | personal_cloud_t2 | <= 5.4.5.t2.2 | — |
| lenovo | personal_cloud_t2pro | < 5.4.8.t2pro.2 | 5.4.8.t2pro.2 |
| lenovo | personal_cloud_t2s | < 5.5.6.t2s.3 | 5.5.6.t2s.3 |
| lenovo | personal_cloud_x1 | <= 5.4.7.x1.1 | — |
| lenovo | personal_cloud_x1s | < 5.4.8.x1s.2 | 5.4.8.x1s.2 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Lenovo Personal Cloud X1 prior 5.5.6.t2s.3 path traversal (EUVD-2026-30041)
vuldb·2026-05-14·CVSS 8.6
CVE-2026-6282 [HIGH] Lenovo Personal Cloud X1 prior 5.5.6.t2s.3 path traversal (EUVD-2026-30041)
A vulnerability was found in Lenovo Personal Cloud T2s, Personal Cloud T2Pro, Personal Cloud X1s, Home Storage Hub T20, Home Storage Hub X20, Personal Cloud T1, Personal Cloud A1, Personal Cloud A1s, Personal Cloud T2 and Personal Cloud X1. It has been classified as critical. Impacted is an unknown function. The manipulation leads to path traversal.
This vulnerability is traded as CVE-2026-6282. It is possible to initiate the attack remotely. There is no exploit available.
Upgrading the affected component is recommended.
GHSA
GHSA-m6vj-6h49-wg69: A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authentic
ghsa_unreviewed·2026-05-13
CVE-2026-6282 [HIGH] CWE-22 GHSA-m6vj-6h49-wg69: A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authentic
A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-13
Published