Description
EAP Legislator is vulnerable to Path Traversal in file extraction functionality. Attacker can prepare zipx archive (default file type used by the Legislator application) and choose arbitrary path outside the intended directory (e.x. system startup) where files will be extracted by the victim upon opening the file. This issue was fixed in version 2.25a.
References (2)
Core 2
Core References
Various Sources product
https://abcpro.pl/eap-legislator
Various Sources third-party-advisory
https://cert.pl/posts/2026/02/CVE-2026-1186
Scores
CVSS v4
8.6
EPSS
0.0034
EPSS Percentile
26.1%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
ABC PRO SP. Z O.O./EAP Legislator
< 2.25
Published
Feb 02, 2026
Tracked Since
Feb 18, 2026