Cyber Resilience

CVE-2026-30996

High

Published: 15 April 2026

Published
15 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0056 68.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30996 is a high-severity Path Traversal (CWE-22) vulnerability in Joaopaulodeoliveira (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-30996, published on 2026-04-15, is a directory traversal vulnerability (CWE-22) in the file handling logic of the download.php component within SAC-NFe version 2.0.02. The flaw enables attackers to read arbitrary files from the affected system by sending a crafted GET request. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its potential for significant data exposure.

The vulnerability can be exploited by remote, unauthenticated attackers (PR:N) over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation allows reading of sensitive arbitrary files, resulting in high confidentiality impact (C:H), but does not affect integrity (I:N) or availability (A:N).

Advisories providing further details are available at https://cve.joaopaulodeoliveira.dev/cve.php/published/CVE-2026-30996 and https://cve.joaopaulodeoliveira.dev/cve.php/reserved/softsul-path-transversal.

EU & UK References

Vulnerability details

An issue in the file handling logic of the component download.php of SAC-NFe v2.0.02 allows attackers to execute a directory traversal and read arbitrary files from the system via a crafted GET request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Directory traversal in public-facing download.php component directly matches T1190 (Exploit Public-Facing Application) for remote unauthenticated file access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-64075Shared CWE-22
CVE-2024-53537Shared CWE-22
CVE-2024-36512Shared CWE-22
CVE-2025-0493Shared CWE-22
CVE-2025-70231Shared CWE-22
CVE-2026-43888Shared CWE-22
CVE-2025-15031Shared CWE-22
CVE-2026-25785Shared CWE-22
CVE-2025-11366Shared CWE-22
CVE-2026-1810Shared CWE-22

Affected Assets

Joaopaulodeoliveira
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-supplied file path inputs in crafted GET requests to download.php, directly preventing directory traversal exploitation.

prevent

Enforces approved authorizations for logical access to system files, blocking unauthorized reads of arbitrary files even if traversal occurs.

prevent

Mandates timely identification, reporting, and remediation of the specific flaw in SAC-NFe v2.0.02 download.php file handling logic.

References