CVE-2021-4463

Longjing Technology BEMS API <=1.21 - Info Disclosure

Title source: llm

Description

Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappshardware

https://www.exploit-db.com/exploits/50163

View Code ZIP pw:eip

References (7)

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/206477

[Various Sources] https://web.archive.org/web/20220527162453/http://www.ljkj2012.com/

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/50163

[Issue Tracking] https://cxsecurity.com/issue/WLB-2021070173

[Exploit, Third Party Advisory] https://packetstormsecurity.com/files/163702

[Third Party Advisory] https://www.vulncheck.com/advisories/longjing-technology-bems-api-remote-arbitrary-file-download

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php

Scores

EPSS 0.0014

EPSS Percentile 34.2%

Classification

CWE

CWE-22 CWE-552

Status draft

Timeline

Published Nov 12, 2025

Tracked Since Feb 18, 2026