CVE-2026-30996
Published: 15 April 2026
Summary
CVE-2026-30996 is a high-severity Path Traversal (CWE-22) vulnerability in Joaopaulodeoliveira (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-30996, published on 2026-04-15, is a directory traversal vulnerability (CWE-22) in the file handling logic of the download.php component within SAC-NFe version 2.0.02. The flaw enables attackers to read arbitrary files from the affected system by sending a crafted GET request. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its potential for significant data exposure.
The vulnerability can be exploited by remote, unauthenticated attackers (PR:N) over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation allows reading of sensitive arbitrary files, resulting in high confidentiality impact (C:H), but does not affect integrity (I:N) or availability (A:N).
Advisories providing further details are available at https://cve.joaopaulodeoliveira.dev/cve.php/published/CVE-2026-30996 and https://cve.joaopaulodeoliveira.dev/cve.php/reserved/softsul-path-transversal.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22977
Vulnerability details
An issue in the file handling logic of the component download.php of SAC-NFe v2.0.02 allows attackers to execute a directory traversal and read arbitrary files from the system via a crafted GET request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in public-facing download.php component directly matches T1190 (Exploit Public-Facing Application) for remote unauthenticated file access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user-supplied file path inputs in crafted GET requests to download.php, directly preventing directory traversal exploitation.
Enforces approved authorizations for logical access to system files, blocking unauthorized reads of arbitrary files even if traversal occurs.
Mandates timely identification, reporting, and remediation of the specific flaw in SAC-NFe v2.0.02 download.php file handling logic.