Home > Vulnerability Database > CVE-2026-21857

Mend.io Vulnerability Database

CVE-2026-21857

Good to know:

Date: January 7, 2026

REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the "EXPDIR" POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing "../" sequences (or even absolute paths inside the document root) to include any readable file in the generated ".tar.gz" archive. Version 5.20.2 fixes this issue.

Severity Score

8.7

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-21857

Url: https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv

Url: https://github.com/redaxo/redaxo

Url: https://github.com/redaxo/redaxo/releases/tag/5.20.2

Url: https://www.mend.io/vulnerability-database/CVE-2026-21857

Severity Score

8.7

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Path Traversal: '../filedir'

CWE-24

Top Fix

Upgrade Version

Upgrade to version redaxo/source - 5.20.2

Learn More

CVSS v3.1

Base Score:	8.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-21857

Good to know:

Date: January 7, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?