Cyber Resilience

CVE-2026-1811

MediumPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0046 36.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1811 is a medium-severity Path Traversal (CWE-22) vulnerability in Adlered Bolo-Solo. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1811 is a path traversal vulnerability (CWE-22) in bolo-blog bolo-solo versions up to 2.6.4. The flaw resides in the importFromMarkdown function within the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java, specifically affecting the Filename Handler component. By manipulating the File argument, attackers can traverse directories, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by authenticated users with low privileges (PR:L). Successful exploitation allows limited impacts, including low-level confidentiality, integrity, and availability violations, such as unauthorized file access or modification outside intended paths.

Advisories reference an early issue report to the project at https://github.com/bolo-blog/bolo-solo/issues/327, but the maintainers have not responded. No patches or mitigations are mentioned in the available references, including VulDB entries at https://vuldb.com/?ctiid.343979, https://vuldb.com/?id.343979, and https://vuldb.com/?submit.742437.

An exploit has been publicly disclosed and may be actively used, as noted in vulnerability databases.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw has been found in bolo-blog bolo-solo up to 2.6.4. This affects the function importFromMarkdown of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component Filename Handler. Executing a manipulation of the argument File can lead to path traversal. The attack may…

more

be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal enables arbitrary local file read/modification (T1005 Data from Local System) and is triggered via remote exploitation of a public-facing web app (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1812Same product: Adlered Bolo-Solo
CVE-2026-1810Same product: Adlered Bolo-Solo
CVE-2026-1691Same product: Adlered Bolo-Solo
CVE-2026-1813Same product: Adlered Bolo-Solo
CVE-2025-66687Shared CWE-22
CVE-2025-26753Shared CWE-22
CVE-2025-44177Shared CWE-22
CVE-2023-42226Shared CWE-22
CVE-2026-39859Shared CWE-22
CVE-2024-55457Shared CWE-22

Affected Assets

adlered
bolo-solo
≤ 2.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted file-name/path inputs to the importFromMarkdown function, blocking the directory-traversal sequences that constitute this CVE.

prevent

Enforces that every file-system access request is checked against an authorization policy, preventing the unauthorized reads/writes outside the intended backup directory.

prevent

Limits the privileges of the authenticated user account invoking BackupService, reducing the set of files that can be reached even if a traversal succeeds.

References