CVE-2026-0522

Name of the Vulnerable Software and Affected Versions VertiGIS FM version 10.5.00119 (0d29d428)

Description A local file inclusion issue exists in the upload/download functionality of VertiGIS FM. Authenticated attackers can read arbitrary files from the server by manipulating a file's path during upload. Downloading the file then returns the attacker-controlled file. The ASP.NET architecture may allow for remote code execution if the web.config file is obtained. UNC path resolution may also enable NTLM-relaying attacks.

Recommendations Update to a newer version that contains a fix for this vulnerability.