Cyber Resilience

CVE-2026-2623

MediumPublic PoC

Published: 17 February 2026

Published
17 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0063 45.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2623 is a medium-severity Path Traversal (CWE-22) vulnerability in Wangyunf Blossom. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2623 is a path traversal vulnerability (CWE-22) affecting Blossom versions up to 1.17.1. The flaw resides in the 'put' function within the file blossom-backend/common/common-iaas/src/main/java/com/blossom/common/iaas/blos/BLOSManager.java, part of the File Upload component. Published on 2026-02-17 with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), it allows manipulation that enables attackers to traverse directories via crafted inputs.

The vulnerability can be exploited remotely by authenticated users with low privileges (PR:L). Attackers can initiate the exploit over the network with low complexity and no user interaction required, potentially achieving limited impacts on confidentiality, integrity, and availability. An exploit has been published and is available for use.

Advisories and details are available at referenced URLs including https://fx4tqqfvdw4.feishu.cn/docx/WmA3dzNfto3AxlxoFlqcu5amnXe and VulDB entries (https://vuldb.com/?ctiid.346274, https://vuldb.com/?id.346274, https://vuldb.com/?submit.751988). The vendor was contacted early about the disclosure but did not respond, and no patches or mitigations are mentioned in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw has been found in Blossom up to 1.17.1. This issue affects the function put of the file blossom-backend/common/common-iaas/src/main/java/com/blossom/common/iaas/blos/BLOSManager.java of the component File Upload. This manipulation causes path traversal. The attack may be initiated remotely. The exploit has been…

more

published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal in public-facing file upload component directly enables remote exploitation of the application (T1190) and facilitates arbitrary file write for web shell deployment (T1505.003).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24406Shared CWE-22
CVE-2026-24848Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2026-36760Shared CWE-22
CVE-2024-44373Shared CWE-22
CVE-2026-33529Shared CWE-22
CVE-2026-7519Shared CWE-22
CVE-2019-25480Shared CWE-22
CVE-2026-39844Shared CWE-22
CVE-2026-34607Shared CWE-22

Affected Assets

wangyunf
blossom
≤ 1.17.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of file-path inputs in the BLOSManager.put upload function to reject traversal sequences such as '../'.

prevent

Enforces that the file-upload component only permits access to authorized paths, blocking the unauthorized directory traversal achieved by the crafted inputs.

prevent

Limits the write privileges granted to the low-privilege accounts that the published exploit uses to reach the vulnerable put method.

References