Cyber Resilience

CVE-2022-26960

CriticalPublic PoC

Published: 21 March 2022

Published
21 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.8415 99.3th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26960 is a critical-severity Path Traversal (CWE-22) vulnerability in Std42 Elfinder. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-26960 is a path traversal vulnerability in connector.minimal.php within std42 elFinder versions through 2.1.60. The flaw stems from improper handling of absolute file paths and is tracked under CWE-22, carrying a CVSS 3.1 score of 9.1.

Unauthenticated remote attackers can exploit the issue over the network to read, write, and browse arbitrary files outside the application's configured document root, achieving high impact on confidentiality and integrity without any user interaction or privileges.

Public references point to a fix committed to the elFinder repository that addresses the path traversal logic, and detailed analysis from Synacktiv describes the vulnerability and its exploitation implications. The associated EPSS score remains elevated near 0.84 with no material post-disclosure climb indicated.

EU & UK References

Vulnerability details

connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

std42
elfinder
≤ 2.1.61

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References