CVE-2026-1810
Published: 03 February 2026
Summary
CVE-2026-1810 is a medium-severity Path Traversal (CWE-22) vulnerability in Adlered Bolo-Solo. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal by requiring validation of the manipulated File argument in the unpackFilteredZip function during ZIP unpacking.
Mandates identification, reporting, and correction of the specific path traversal flaw in BackupService.java through timely patching.
Enforces least privilege on the backup service process to restrict access and limit damage from path traversal to only authorized directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in a public-facing web application (bolo-solo) directly enables remote exploitation of a public-facing application.
NVD Description
A vulnerability was detected in bolo-blog bolo-solo up to 2.6.4. The impacted element is the function unpackFilteredZip of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component ZIP File Handler. Performing a manipulation of the argument File results in path traversal. The attack…
more
is possible to be carried out remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-1810 is a path traversal vulnerability (CWE-22) affecting bolo-blog's bolo-solo application up to version 2.6.4. The issue resides in the unpackFilteredZip function within the ZIP File Handler component, specifically in the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java. By manipulating the File argument, attackers can exploit this flaw remotely, as scored at CVSS 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, allowing path traversal to access or manipulate files outside the intended directory during ZIP unpacking operations.
Advisories from VulDB (ctiid.343978, id.343978) detail the issue, noting that an exploit is publicly available and the project was notified early via GitHub issue #326 in the bolo-blog/bolo-solo repository, but has not yet responded or released patches. Security practitioners should monitor the repository and issue tracker for updates, restrict access to backup services, and consider disabling or isolating ZIP handling features until mitigation is available.
The exploit code is public, increasing the risk of active targeting, though no confirmed real-world exploitation has been reported as of the CVE publication on 2026-02-03.
Details
- CWE(s)