CVE-2016-10726

HIGH

DSpace < 3.6, 4.0-4.5 - Path Traversal via XMLUI Themes Path

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-10726. PoCs published by shoucheng3.

AI-analyzed exploit summary This repository contains the source code for DSpace, an open-source digital repository software, with a focus on the files related to CVE-2016-10726. The code includes administrative tools and utilities, but does not contain a functional exploit or detailed technical analysis of the vulnerability itself.

Description

The XMLUI feature in DSpace before 3.6, 4.x before 4.5, and 5.x before 5.5 allows directory traversal via the themes/ path in an attack with two or more arbitrary characters and a colon before a pathname, as demonstrated by a themes/Reference/aa:etc/passwd URI.

Exploits (1)

nomisec WRITEUP
by shoucheng3 · poc
https://github.com/shoucheng3/DSpace__DSpace_CVE-2016-10726_4-4

This repository contains the source code for DSpace, an open-source digital repository software, with a focus on the files related to CVE-2016-10726. The code includes administrative tools and utilities, but does not contain a functional exploit or detailed technical analysis of the vulnerability itself.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: DSpace (version not explicitly specified)
No auth needed
Prerequisites: Access to DSpace source code · Understanding of DSpace architecture
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory x_refsource_misc
https://github.com/DSpace/DSpace/releases/tag/dspace-5.5
Patch, Vendor Advisory x_refsource_misc
https://jira.duraspace.org/browse/DS-3094

Scores

CVSS v3 7.5
EPSS 0.0054
EPSS Percentile 68.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-22
Status published
Products (2)
duraspace/dspace < 3.6
org.dspace/dspace-xmlui 4.0 - 4.5Maven
Published Jul 10, 2018
Tracked Since Feb 18, 2026