CVE-2026-42213
MEDIUMSolidCAM-GPPL-IDE: Path traversal in `inc` directive enables file probing and NTLM-hash leak
Title source: cnaDescription
SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, the inc "filename" directive in GPPL postprocessor files is resolved by GpplDocumentLinkHandler into a clickable link (VS Code textDocument/documentLink). The handler accepted arbitrary paths — absolute, relative with parent-directory segments (..\..\..\), UNC (\\server\share\), and arbitrary subfolders — and called File.Exists on each to decide whether to render the link. Two distinct attack surfaces resulted: information disclosure via File.Exists probing and NTLM hash leak via UNC path probing. This issue has been patched in version 1.0.2.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-xvpx-9p39-g62m
X_Refsource_Misc x_refsource_misc
https://github.com/anzory/SolidCAM-GPPL-IDE/commit/9d0ba808afd143ede448026a5dc681bfdc5c138d
X_Refsource_Misc x_refsource_misc
https://github.com/anzory/SolidCAM-GPPL-IDE/releases/tag/v1.0.2
Scores
CVSS v4
5.1
EPSS
0.0005
EPSS Percentile
17.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Details
CWE
CWE-200
CWE-22
CWE-295
CWE-918
Status
published
Products (1)
anzory/SolidCAM-GPPL-IDE
>= 1.0.0, < 1.0.2
Published
May 08, 2026
Tracked Since
May 09, 2026