Description
** Disputed ** An Information Disclosure vulnerability in CouchCMS 2.4 allow an Admin user to read arbitrary files via traversing directories back after back. It can Disclosure the source code or any other confidential information if weaponize accordingly. NOTE: A community member states that this is not a CouchCMS vulnerability and that if /\<file> is accessible it is a web-server configuration issue.
References (3)
Core 3
Core References
Exploit, Third Party Advisory
https://gist.github.com/thepiyushkumarshukla/d01f8004c43692f18c75548f4739955a
Product
https://www.couchcms.com/
Scores
CVSS v3
6.5
EPSS
0.0003
EPSS Percentile
7.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
couchcms/couchcms
2.4
Published
Jan 09, 2026
Tracked Since
Feb 18, 2026