CVE-2026-21857

MEDIUM

REDAXO < 5.20.2 - Authenticated Path Traversal via Backup Addon EXPDIR Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-21857. PoCs published by lukasz-rybak.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-21857, a path traversal vulnerability in the Redaxo Backup addon. It includes vulnerability details, affected code snippets, and a step-by-step proof-of-concept for exploiting the issue to read arbitrary files.

Description

REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Version 5.20.2 fixes this issue.

Exploits (1)

nomisec WRITEUP

by lukasz-rybak · poc

https://github.com/lukasz-rybak/CVE-2026-21857

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-21857, a path traversal vulnerability in the Redaxo Backup addon. It includes vulnerability details, affected code snippets, and a step-by-step proof-of-concept for exploiting the issue to read arbitrary files.

Classification

Writeup 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Redaxo (versions <= 5.20.1)

Auth required

Prerequisites: Authenticated user with backup permissions

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Apr 12, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv

Release Notes x_refsource_misc

https://github.com/redaxo/redaxo/releases/tag/5.20.2

Scores

CVSS v3 6.5

EPSS 0.0003

EPSS Percentile 10.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22 CWE-24

Status published

Products (2)

redaxo/redaxo < 5.20.2

redaxo/source 0 - 5.20.2Packagist

Published Jan 07, 2026

Tracked Since Feb 18, 2026