PT-2026-60261 · Openwrt · Openwrt

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-62947

CVSS v3.1

4.9

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions OpenWrt versions prior to 25.12.5
Description The cgi-download handler in cgi-io performs path authorization against the caller's ubus session file ACL before canonicalization. Additionally, rpcd session.c utilizes the fnmatch() function without the FNM PATHNAME flag. This combination allows for path traversal, where an allowed wildcard prefix followed by ../ can be used to read root-readable files, such as /etc/shadow.
Recommendations Update to version 25.12.5.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-62947

Affected Products

Openwrt