CVE-2018-20470

HIGH EXPLOITED NUCLEI

Sahi Pro < 8.0.0 - Directory Traversal in Web Reports Module

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-20470 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Goutham Madhwaraj. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a directory traversal vulnerability in Sahi Pro (versions <= 8.x) via a crafted URL, allowing unauthorized access to sensitive files like 'win.ini'. The PoC provides a direct URL to exploit the flaw without requiring authentication.

Description

An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A directory traversal (arbitrary file access) vulnerability exists in the web reports module. This allows an outside attacker to view contents of sensitive files.

Exploits (1)

exploitdb WORKING POC
by Goutham Madhwaraj · textwebappsmultiple
https://www.exploit-db.com/exploits/47005

This exploit demonstrates a directory traversal vulnerability in Sahi Pro (versions <= 8.x) via a crafted URL, allowing unauthorized access to sensitive files like 'win.ini'. The PoC provides a direct URL to exploit the flaw without requiring authentication.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Sahi Pro <= 8.x
No auth needed
Prerequisites: Network access to the Sahi Pro server · Sahi Pro web reports module enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Tyto Sahi pro 7.x/8.x - Local File Inclusion
HIGHby daffainfo

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://barriersec.com/2019/06/cve-2018-20470-sahi-pro/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/153330/Sahi-Pro-7.x-8.x-Directory-Traversal.html

Scores

CVSS v3 7.5
EPSS 0.4597
EPSS Percentile 98.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2023-12-28
CWE
CWE-22
Status published
Products (1)
sahipro/sahi_pro < 8.0.0
Published Jun 17, 2019
Tracked Since Feb 18, 2026