CVE-2026-4044

LOW

ProjectSend up to r1945 - Path Traversal

Title source: llm

Description

A vulnerability was detected in projectsend up to r1945. This affects the function realpath of the file /import-orphans.php of the component Delete Handler. Performing a manipulation of the argument files[] results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

[Various Sources] https://drive.google.com/file/d/1BOWm9FvhmM90oP91rOWpI4GoWdbI06wg/view?usp=sharing

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.350656

[Permissions Required, VDB Entry] https://vuldb.com/?id.350656

[Permissions Required, VDB Entry] https://vuldb.com/?submit.769528

Scores

CVSS v3 3.8

EPSS 0.0009

EPSS Percentile 24.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

Details

CWE

CWE-22

Status published

Published Mar 12, 2026

Tracked Since Mar 12, 2026