CVE-2020-35460

MEDIUM

Oracle Primavera Unifier >=17.7 <17.12 - Path Traversal and Arbitrary File Write via Zip Stream Handler

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-35460. PoCs published by shoucheng3.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2020-35460, targeting the MPXJ library. The code includes multiple C# utilities for converting, creating, and querying project files, which can be used to exploit the vulnerability.

Description

common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allows directory traversal in the zip stream handler flow, leading to the writing of files to arbitrary locations.

Exploits (1)

nomisec WORKING POC

by shoucheng3 · poc

https://github.com/shoucheng3/joniles__mpxj_CVE-2020-35460_8-3-4

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2020-35460, targeting the MPXJ library. The code includes multiple C# utilities for converting, creating, and querying project files, which can be used to exploit the vulnerability.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: MPXJ library versions up to 8.3.4

No auth needed

Prerequisites: Access to a system using the vulnerable MPXJ library

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/joniles/mpxj/commit/8eaf4225048ea5ba7e59ef4556dab2098fcc4a1d

View Patch ZIP pw:eip

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujan2021.html

Release Notes, Vendor Advisory x_refsource_misc

http://www.mpxj.org/changes-report.html#a8.3.5

Scores

CVSS v3 5.3

EPSS 0.0176

EPSS Percentile 75.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (8)

mpxj/mpxj < 8.3.5

net.sf.mpxj/mpxj 0 - 8.3.5Maven

oracle/primavera_unifier 16.1

oracle/primavera_unifier 16.2

oracle/primavera_unifier 18.8

oracle/primavera_unifier 19.12

oracle/primavera_unifier 21.12

oracle/primavera_unifier 17.7 - 17.12

Published Dec 14, 2020

Tracked Since Feb 18, 2026