Exploitation Summary
CVE-2024-36117 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
Reposilite is an open source, lightweight and easy-to-use repository manager for Maven based artifacts in JVM ecosystem. Reposilite v3.5.10 is affected by an Arbitrary File Read vulnerability via path traversal while serving expanded javadoc files. Reposilite has addressed this issue in version 3.5.12. There are no known workarounds for this vulnerability. This issue was discovered and reported by the GitHub Security lab and is also tracked as GHSL-2024-074.
Nuclei Templates (1)
Reposilite >= 3.3.0, < 3.5.12 - Arbitrary File Read
HIGHVERIFIEDby iamnoooob,rootxharsh,pdresearch
Shodan:
http.favicon.hash:1212523028
References (3)
Core 3
Core References
Release Notes x_refsource_confirm
https://github.com/dzikoysk/reposilite/releases/tag/3.5.12
Exploit, Mitigation, Vendor Advisory x_refsource_misc
https://github.com/dzikoysk/reposilite/security/advisories/GHSA-82j3-hf72-7x93
Scores
CVSS v3
8.6
EPSS
0.0314
EPSS Percentile
86.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
VulnCheck KEV
2025-10-17
CWE
CWE-22
Status
published
Products (2)
com.reposilite/reposilite-backend
3.3.0 - 3.5.12Maven
reposilite/reposilite
3.3.0 - 3.5.12
Published
Jun 19, 2024
Tracked Since
Feb 18, 2026