Cyber Resilience

CVE-2026-6057

Critical

Published: 10 April 2026

Published
10 April 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0093 55.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-6057 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-6057 is an unauthenticated path traversal vulnerability (CWE-22) in the file upload API of FalkorDB Browser version 1.9.3. This flaw enables remote attackers to write arbitrary files outside the intended directory, potentially leading to remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of required privileges.

Remote attackers can exploit this vulnerability without authentication by sending specially crafted requests to the file upload API, traversing directory paths to overwrite or create files in sensitive locations such as web roots or executable directories. Successful exploitation allows arbitrary file writes, which can result in remote code execution on the affected server, granting attackers full control over the system including data exfiltration, persistence, or lateral movement.

Mitigation details are referenced in the FalkorDB Browser GitHub repository and pull request #1611, which addresses the issue through a code fix available for integration. Security practitioners should update to a patched version beyond 1.9.3 and review file upload endpoints for similar path traversal risks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API that allows remote attackers to write arbitrary files and achieve remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated path traversal in public-facing file upload API enables arbitrary file writes leading to RCE, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2505Shared CWE-22
CVE-2026-5841Shared CWE-22
CVE-2026-33242Shared CWE-22
CVE-2026-33292Shared CWE-22
CVE-2026-35605Shared CWE-22
CVE-2025-53632Shared CWE-22
CVE-2025-8110Shared CWE-22
CVE-2026-8757Shared CWE-22
CVE-2025-7712Shared CWE-22
CVE-2026-31817Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates path traversal (CWE-22) by requiring validation of file paths in unauthenticated upload API requests to block arbitrary file writes.

prevent

Mandates timely patching of the specific flaw in FalkorDB Browser 1.9.3 as provided in the vendor's GitHub pull request #1611.

prevent

Requires identification and authentication for non-organizational users (remote attackers), blocking unauthenticated access to the vulnerable file upload API.

References