CVE-2026-3795

MEDIUM

DoraCMS 3.0.x - Path Traversal

Title source: llm

Description

A security flaw has been discovered in doramart DoraCMS 3.0.x. Impacted is the function createFileBypath of the file /DoraCMS/server/app/router/api/v1.js. Performing a manipulation results in path traversal. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (1)

github WORKING POC 2 stars

by LTX-GOD · poc

https://github.com/LTX-GOD/Mycve/tree/main/doracms2-CVE-2026-3795.md

View Code ZIP pw:eip

References (3)

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.349762

[Permissions Required, VDB Entry] https://vuldb.com/?id.349762

[Permissions Required, VDB Entry] https://vuldb.com/?submit.768241

Scores

CVSS v3 6.3

EPSS 0.0004

EPSS Percentile 10.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-22

Status published

Products (2)

doramart/DoraCMS 3.0.*

html-js/doracms

Published Mar 09, 2026

Tracked Since Mar 09, 2026