Cyber Resilience

CVE-2026-7519

Medium

Published: 01 May 2026

Published
01 May 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 19.4th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7519 is a medium-severity Path Traversal (CWE-22) vulnerability in Feishu (inferred from references). Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-7519 is a path traversal vulnerability (CWE-22) affecting Fujian Apex LiveBOS versions up to 2.0. The issue resides in an unknown function within the /feed/UploadImage.do endpoint of the component Endpoint, where manipulation of the 'filename' argument enables traversal outside intended directories. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no privileges or user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to read, modify, or disrupt files outside the web root via crafted 'filename' parameters in upload requests.

Advisories recommend upgrading to version 2.1 to mitigate the issue, with patching the affected component advised. Details are available in references including VulDB entries (vuldb.com/vuln/360333, vuldb.com/vuln/360333/cti, vuldb.com/submit/804096) and a Feishu document (my.feishu.cn/docx/TCyMdptvaoTQCvxkHLbceJZCnge?from=from_copylink). The exploit has been publicly disclosed and may be in use.

EU & UK References

Vulnerability details

A vulnerability has been found in Fujian Apex LiveBOS up to 2.0. Impacted is an unknown function of the file /feed/UploadImage.do of the component Endpoint. Such manipulation of the argument filename leads to path traversal. The attack can be launched…

more

remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.1 is recommended to address this issue. Upgrading the affected component is advised.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal in public-facing upload endpoint enables remote exploitation (T1190) and arbitrary file write to deploy web shells (T1505.003).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1661Shared CWE-22
CVE-2026-33529Shared CWE-22
CVE-2026-9550Shared CWE-22
CVE-2024-44373Shared CWE-22
CVE-2019-25471Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2025-67684Shared CWE-22
CVE-2025-41758Shared CWE-22
CVE-2025-12382Shared CWE-22
CVE-2025-54446Shared CWE-22

Affected Assets

Feishu
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediates the path traversal flaw in Fujian Apex LiveBOS up to 2.0 by applying the recommended upgrade to version 2.1.

prevent

Validates the 'filename' argument in the /feed/UploadImage.do endpoint to block path traversal sequences like '../'.

preventdetect

Enforces boundary protection at external interfaces using web application firewalls to inspect and block path traversal payloads in upload requests.

References