CVE-2023-35801

HIGH

Safe FME Server < 2022.2.5 - Authenticated Path Traversal and Arbitrary File Write via Network Resource Connection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-35801. PoCs published by trustcves.

AI-analyzed exploit summary The writeup details CVE-2023-35801, a directory traversal vulnerability in FME Server/FME Flow allowing arbitrary file write. It explains the validation bypass mechanism and includes a vendor contact timeline.

Description

A directory traversal vulnerability in Safe Software FME Server before 2022.2.5 allows an attacker to bypass validation when editing a network-based resource connection, resulting in the unauthorized reading and writing of arbitrary files. Successful exploitation requires an attacker to have access to a user account with write privileges. FME Flow 2023.0 is also a fixed version.

Exploits (1)

nomisec WRITEUP
by trustcves · poc
https://github.com/trustcves/CVE-2023-35801

The writeup details CVE-2023-35801, a directory traversal vulnerability in FME Server/FME Flow allowing arbitrary file write. It explains the validation bypass mechanism and includes a vendor contact timeline.

Classification
Writeup 100%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: FME Server/FME Flow (versions prior to 2022.2.5 and 2023.0)
Auth required
Prerequisites: Valid user account with write privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.1
EPSS 0.0117
EPSS Percentile 63.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-22
Status published
Products (1)
safe/fme_server < 2022.2.5
Published Jun 23, 2023
Tracked Since Feb 18, 2026