CVE-2019-12276

HIGH EXPLOITED NUCLEI

GrandNode 4.40 - Unauthenticated Path Traversal via LetsEncrypt Controller

Title source: llm

Exploitation Summary

CVE-2019-12276 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Corey Robinson. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated path traversal vulnerability in GrandNode's LetsEncryptController, allowing arbitrary file download via crafted HTTP requests. The PoC sends a GET request with a manipulated 'fileName' parameter to retrieve sensitive files.

Description

A Path Traversal vulnerability in Controllers/LetsEncryptController.cs in LetsEncryptController in GrandNode 4.40 allows remote, unauthenticated attackers to retrieve arbitrary files on the web server via specially crafted LetsEncrypt/Index?fileName= HTTP requests. A patch for this issue was made on 2019-05-30 in GrandNode 4.40.

Exploits (1)

exploitdb WORKING POC

by Corey Robinson · pythonwebappsmultiple

https://www.exploit-db.com/exploits/47027

View Code ZIP pw:eip

This exploit demonstrates an unauthenticated path traversal vulnerability in GrandNode's LetsEncryptController, allowing arbitrary file download via crafted HTTP requests. The PoC sends a GET request with a manipulated 'fileName' parameter to retrieve sensitive files.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: GrandNode <= v4.40

No auth needed

Prerequisites: Network access to the target GrandNode instance

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

GrandNode 4.40 - Local File Inclusion

HIGHby daffainfo

References (3)

Core 3

Core References

Vendor Advisory x_refsource_misc

https://grandnode.com

Third Party Advisory x_refsource_misc

https://github.com/grandnode/grandnode

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/153373/GrandNode-4.40-Path-Traversal-File-Download.html

Scores

CVSS v3 7.5

EPSS 0.5371

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2023-11-26

CWE

CWE-22

Status published

Products (1)

grandnode/grandnode 4.40

Published Jun 05, 2019

Tracked Since Feb 18, 2026