CVE-2025-26138

Name of the Vulnerable Software and Affected Versions Systemic Risk Value versions <=2.8.0

Description The issue concerns improper access control. Specifically, in the /RiskValue/GroupingEntities/Controls/GetFile.aspx endpoint, the ID parameter is predictable and numerical, allowing unauthorized users to access and download files by incrementing or decrementing the ID. This means that uploaded files can be accessed without proper permission.

Recommendations For Systemic Risk Value versions <=2.8.0, as a temporary workaround, consider restricting access to the /RiskValue/GroupingEntities/Controls/GetFile.aspx endpoint until a patch is available. Additionally, avoid using the ID parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.