Cyber Posture

CVE-2026-1022

High

Published: 16 January 2026

Published
16 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0003 10.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1022 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Gotac Statistics Database System. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

Direct unauthenticated remote arbitrary file read via path traversal on public-facing app enables T1190 exploitation and T1005 local system data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.

Deeper analysisAI

CVE-2026-1022 is an Arbitrary File Read vulnerability in the Statistics Database System developed by Gotac. The issue arises from Relative Path Traversal (CWE-23), which allows unauthenticated remote attackers to download arbitrary system files. Published on 2026-01-16, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high severity primarily due to its confidentiality impact over the network with low complexity.

Unauthenticated remote attackers can exploit this vulnerability from anywhere with network access, requiring no privileges or user interaction. Successful exploitation enables attackers to traverse paths and retrieve sensitive system files, potentially exposing configuration details, credentials, or other critical data without affecting integrity or availability.

TWCERT/CC advisories provide further details on the vulnerability, including mitigation recommendations; refer to https://www.twcert.org.tw/en/cp-139-10640-0fd0b-2.html and https://www.twcert.org.tw/tw/cp-132-10639-813ad-1.html for patch information and remediation guidance.

Details

CWE(s)
CWE-23

Affected Products

gotac
statistics database system
≤ 1.0.3

CVEs Like This One

CVE-2026-1023Same product: Gotac Statistics Database System
CVE-2024-56340Shared CWE-23
CVE-2025-20059Shared CWE-23
CVE-2025-2056Shared CWE-23
CVE-2026-43533Shared CWE-23
CVE-2025-27610Shared CWE-23
CVE-2025-55747Shared CWE-23
CVE-2025-27553Shared CWE-23
CVE-2026-1018Same vendor: Gotac
CVE-2026-1021Same vendor: Gotac

References