CVE-2026-6815
published 2026-05-11CVE-2026-6815: An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker…
PriorityP341medium5.9CVSS 3.1
AVLACLPRNUINSUCLILAL
EXPLOIT
EPSS
0.51%
39.8th percentile
An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with administrative privileges can perform a Path Traversal attack to create or overwrite arbitrary files anywhere on the host filesystem, bypassing the application's intended storage sandbox.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| casbin | casdoor | <= 2.328.0 | — |
| casdoor | casdoor | <= v2.328.0 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Casdoor up to 2.328.0 path traversal (EDB-52584)
vuldb·2026-05-28·CVSS 5.9
CVE-2026-6815 [MEDIUM] Casdoor up to 2.328.0 path traversal (EDB-52584)
A vulnerability, which was classified as critical, has been found in Casdoor up to 2.328.0. The affected element is an unknown function. Performing a manipulation results in path traversal.
This vulnerability was named CVE-2026-6815. The attack may be initiated remotely. In addition, an exploit is available.
GHSA
GHSA-rmxx-v9rj-vpvg: An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider
ghsa_unreviewed·2026-05-11
CVE-2026-6815 GHSA-rmxx-v9rj-vpvg: An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider
An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with administrative privileges can perform a Path Traversal attack to create or overwrite arbitrary files anywhere on the host filesystem, bypassing the application's intended storage sandbox.
No detection rules found.
2026-05-11
Published