CVE-2026-2623
Published: 17 February 2026
Summary
CVE-2026-2623 is a medium-severity Path Traversal (CWE-22) vulnerability in Wangyunf Blossom. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-2623 is a path traversal vulnerability (CWE-22) affecting Blossom versions up to 1.17.1. The flaw resides in the 'put' function within the file blossom-backend/common/common-iaas/src/main/java/com/blossom/common/iaas/blos/BLOSManager.java, part of the File Upload component. Published on 2026-02-17 with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), it allows manipulation that enables attackers to traverse directories via crafted inputs.
The vulnerability can be exploited remotely by authenticated users with low privileges (PR:L). Attackers can initiate the exploit over the network with low complexity and no user interaction required, potentially achieving limited impacts on confidentiality, integrity, and availability. An exploit has been published and is available for use.
Advisories and details are available at referenced URLs including https://fx4tqqfvdw4.feishu.cn/docx/WmA3dzNfto3AxlxoFlqcu5amnXe and VulDB entries (https://vuldb.com/?ctiid.346274, https://vuldb.com/?id.346274, https://vuldb.com/?submit.751988). The vendor was contacted early about the disclosure but did not respond, and no patches or mitigations are mentioned in the available information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7655
Vulnerability details
A flaw has been found in Blossom up to 1.17.1. This issue affects the function put of the file blossom-backend/common/common-iaas/src/main/java/com/blossom/common/iaas/blos/BLOSManager.java of the component File Upload. This manipulation causes path traversal. The attack may be initiated remotely. The exploit has been…
more
published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing file upload component directly enables remote exploitation of the application (T1190) and facilitates arbitrary file write for web shell deployment (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of file-path inputs in the BLOSManager.put upload function to reject traversal sequences such as '../'.
Enforces that the file-upload component only permits access to authorized paths, blocking the unauthorized directory traversal achieved by the crafted inputs.
Limits the write privileges granted to the low-privilege accounts that the published exploit uses to reach the vulnerable put method.