CVE-2021-4463

HIGH

Longjing Technology BEMS API <=1.21 - Info Disclosure

Title source: llm

Description

Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappshardware

https://www.exploit-db.com/exploits/50163

View Code ZIP pw:eip

References (7)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/50163

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/206477

[Various Sources] https://web.archive.org/web/20220527162453/http://www.ljkj2012.com/

[Issue Tracking] https://cxsecurity.com/issue/WLB-2021070173

[Exploit, Third Party Advisory] https://packetstormsecurity.com/files/163702

[Third Party Advisory] https://www.vulncheck.com/advisories/longjing-technology-bems-api-remote-arbitrary-file-download

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php

Scores

CVSS v4 8.7

EPSS 0.0019

EPSS Percentile 40.4%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22 CWE-552

Status published

Products (1)

Shenzhen Longjing Technology Co. Ltd./BEMS API < 1.21

Published Nov 12, 2025

Tracked Since Feb 18, 2026