EEF-CVE-2026-21620

See a problem?
Please try reporting it to the source first.
Source
https://cna.erlef.org/osv/EEF-CVE-2026-21620.html
Import Source
https://cna.erlef.org/osv/EEF-CVE-2026-21620.json
JSON Data
https://api.osv.dev/v1/vulns/EEF-CVE-2026-21620
Aliases
Published
2026-02-20T10:57:08.620Z
Modified
2026-04-07T15:00:15.256145Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
TFTP Path Traversal
Details

Summary

Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftpfile modules), erlang otp inets (tftpfile modules), erlang otp tftp (tftpfile modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftpfile.erl, src/tftp_file.erl.

This issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0.

Configuration

A TFTP server must be started and the TFTP port must be reachable by the attacker, using the tftp application (or the legacy inets TFTP service) with the tftpfile callback module configured with the {rootdir, Dir} option.

Database specific 
{
    "cwe_ids": [
        "CWE-23"
    ],
    "capec_ids": [
        "CAPEC-139"
    ],
    "cpe_ids": [
        "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
    ]
}
References
Credits
    • Luigino Camastra - REPORTER
    • Jakub Witczak - REMEDIATION_REVIEWER
    • Raimo Niskanen - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/erlang/otp

Affected ranges

Type
GIT
Repo
https://github.com/erlang/otp
Events
Introduced
07b8f441ca711f9812fad9e9115bab3c3aa92f79
Fixed
655fb95725ba2fb811740b57e106873833824344
Fixed
3970738f687325138eb75f798054fa8960ac354e
Fixed
696fdec922661d4a3cc528fc34bc24fae8d4ad8a

Affected versions

OTP-17.*
OTP-17.0
OTP-17.0.1
OTP-17.0.2
OTP-17.1
OTP-17.1.1
OTP-17.1.2
OTP-17.2
OTP-17.2.1
OTP-17.2.2
OTP-17.3
OTP-17.3.1
OTP-17.3.2
OTP-17.3.3
OTP-17.3.4
OTP-17.4
OTP-17.4.1
OTP-17.5
OTP-17.5.1
OTP-17.5.2
OTP-17.5.3
OTP-17.5.4
OTP-17.5.5
OTP-17.5.6
OTP-17.5.6.1
OTP-17.5.6.10
OTP-17.5.6.2
OTP-17.5.6.3
OTP-17.5.6.4
OTP-17.5.6.5
OTP-17.5.6.6
OTP-17.5.6.7
OTP-17.5.6.8
OTP-17.5.6.9
OTP-18.*
OTP-18.0
OTP-18.0-rc1
OTP-18.0-rc2
OTP-18.0.1
OTP-18.0.2
OTP-18.0.3
OTP-18.1
OTP-18.1.1
OTP-18.1.2
OTP-18.1.3
OTP-18.1.4
OTP-18.1.5
OTP-18.2
OTP-18.2.1
OTP-18.2.2
OTP-18.2.3
OTP-18.2.4
OTP-18.2.4.0.1
OTP-18.2.4.1
OTP-18.3
OTP-18.3.1
OTP-18.3.2
OTP-18.3.3
OTP-18.3.4
OTP-18.3.4.1
OTP-18.3.4.1.1
OTP-18.3.4.10
OTP-18.3.4.11
OTP-18.3.4.2
OTP-18.3.4.3
OTP-18.3.4.4
OTP-18.3.4.5
OTP-18.3.4.6
OTP-18.3.4.7
OTP-18.3.4.8
OTP-18.3.4.9
OTP-19.*
OTP-19.0
OTP-19.0-rc1
OTP-19.0-rc2
OTP-19.0.1
OTP-19.0.2
OTP-19.0.3
OTP-19.0.4
OTP-19.0.5
OTP-19.0.6
OTP-19.0.7
OTP-19.1
OTP-19.1.1
OTP-19.1.2
OTP-19.1.3
OTP-19.1.4
OTP-19.1.5
OTP-19.1.6
OTP-19.1.6.1
OTP-19.2
OTP-19.2.1
OTP-19.2.2
OTP-19.2.3
OTP-19.2.3.1
OTP-19.3
OTP-19.3.1
OTP-19.3.2
OTP-19.3.3
OTP-19.3.4
OTP-19.3.5
OTP-19.3.6
OTP-19.3.6.1
OTP-19.3.6.10
OTP-19.3.6.11
OTP-19.3.6.12
OTP-19.3.6.13
OTP-19.3.6.2
OTP-19.3.6.3
OTP-19.3.6.4
OTP-19.3.6.5
OTP-19.3.6.6
OTP-19.3.6.7
OTP-19.3.6.8
OTP-19.3.6.9
OTP-20.*
OTP-20.0
OTP-20.0-rc1
OTP-20.0-rc2
OTP-20.0.1
OTP-20.0.2
OTP-20.0.3
OTP-20.0.4
OTP-20.0.5
OTP-20.1
OTP-20.1.1
OTP-20.1.2
OTP-20.1.3
OTP-20.1.4
OTP-20.1.5
OTP-20.1.6
OTP-20.1.7
OTP-20.1.7.1
OTP-20.2
OTP-20.2.0.1
OTP-20.2.1
OTP-20.2.2
OTP-20.2.3
OTP-20.2.4
OTP-20.3
OTP-20.3.1
OTP-20.3.2
OTP-20.3.2.1
OTP-20.3.3
OTP-20.3.4
OTP-20.3.5
OTP-20.3.6
OTP-20.3.7
OTP-20.3.8
OTP-20.3.8.1
OTP-20.3.8.10
OTP-20.3.8.11
OTP-20.3.8.12
OTP-20.3.8.13
OTP-20.3.8.14
OTP-20.3.8.15
OTP-20.3.8.16
OTP-20.3.8.17
OTP-20.3.8.18
OTP-20.3.8.19
OTP-20.3.8.2
OTP-20.3.8.20
OTP-20.3.8.21
OTP-20.3.8.22
OTP-20.3.8.23
OTP-20.3.8.24
OTP-20.3.8.25
OTP-20.3.8.26
OTP-20.3.8.3
OTP-20.3.8.4
OTP-20.3.8.5
OTP-20.3.8.6
OTP-20.3.8.7
OTP-20.3.8.8
OTP-20.3.8.9
OTP-21.*
OTP-21.0
OTP-21.0-rc1
OTP-21.0-rc2
OTP-21.0.1
OTP-21.0.2
OTP-21.0.3
OTP-21.0.4
OTP-21.0.5
OTP-21.0.6
OTP-21.0.7
OTP-21.0.8
OTP-21.0.9
OTP-21.1
OTP-21.1.1
OTP-21.1.2
OTP-21.1.3
OTP-21.1.4
OTP-21.2
OTP-21.2.1
OTP-21.2.2
OTP-21.2.3
OTP-21.2.4
OTP-21.2.5
OTP-21.2.6
OTP-21.2.7
OTP-21.3
OTP-21.3.1
OTP-21.3.2
OTP-21.3.3
OTP-21.3.4
OTP-21.3.5
OTP-21.3.6
OTP-21.3.7
OTP-21.3.7.1
OTP-21.3.8
OTP-21.3.8.1
OTP-21.3.8.10
OTP-21.3.8.11
OTP-21.3.8.12
OTP-21.3.8.13
OTP-21.3.8.14
OTP-21.3.8.15
OTP-21.3.8.16
OTP-21.3.8.17
OTP-21.3.8.18
OTP-21.3.8.19
OTP-21.3.8.2
OTP-21.3.8.20
OTP-21.3.8.21
OTP-21.3.8.22
OTP-21.3.8.23
OTP-21.3.8.24
OTP-21.3.8.3
OTP-21.3.8.4
OTP-21.3.8.5
OTP-21.3.8.6
OTP-21.3.8.7
OTP-21.3.8.8
OTP-21.3.8.9
OTP-22.*
OTP-22.0
OTP-22.0-rc1
OTP-22.0-rc2
OTP-22.0-rc3
OTP-22.0.1
OTP-22.0.2
OTP-22.0.3
OTP-22.0.4
OTP-22.0.5
OTP-22.0.6
OTP-22.0.7
OTP-22.1
OTP-22.1.1
OTP-22.1.2
OTP-22.1.3
OTP-22.1.4
OTP-22.1.5
OTP-22.1.6
OTP-22.1.7
OTP-22.1.8
OTP-22.1.8.1
OTP-22.2
OTP-22.2.1
OTP-22.2.2
OTP-22.2.3
OTP-22.2.4
OTP-22.2.5
OTP-22.2.6
OTP-22.2.7
OTP-22.2.8
OTP-22.3
OTP-22.3.1
OTP-22.3.2
OTP-22.3.3
OTP-22.3.4
OTP-22.3.4.1
OTP-22.3.4.10
OTP-22.3.4.11
OTP-22.3.4.12
OTP-22.3.4.12.1
OTP-22.3.4.13
OTP-22.3.4.14
OTP-22.3.4.15
OTP-22.3.4.16
OTP-22.3.4.17
OTP-22.3.4.18
OTP-22.3.4.19
OTP-22.3.4.2
OTP-22.3.4.20
OTP-22.3.4.21
OTP-22.3.4.22
OTP-22.3.4.23
OTP-22.3.4.24
OTP-22.3.4.25
OTP-22.3.4.26
OTP-22.3.4.27
OTP-22.3.4.3
OTP-22.3.4.4
OTP-22.3.4.5
OTP-22.3.4.6
OTP-22.3.4.7
OTP-22.3.4.8
OTP-22.3.4.9
OTP-23.*
OTP-23.0
OTP-23.0-rc1
OTP-23.0-rc2
OTP-23.0-rc3
OTP-23.0.1
OTP-23.0.2
OTP-23.0.3
OTP-23.0.4
OTP-23.1
OTP-23.1.1
OTP-23.1.2
OTP-23.1.3
OTP-23.1.4
OTP-23.1.4.1
OTP-23.1.5
OTP-23.2
OTP-23.2.1
OTP-23.2.2
OTP-23.2.3
OTP-23.2.4
OTP-23.2.5
OTP-23.2.6
OTP-23.2.7
OTP-23.2.7.1
OTP-23.2.7.2
OTP-23.2.7.3
OTP-23.2.7.4
OTP-23.2.7.5
OTP-23.3
OTP-23.3.1
OTP-23.3.2
OTP-23.3.3
OTP-23.3.4
OTP-23.3.4.1
OTP-23.3.4.10
OTP-23.3.4.11
OTP-23.3.4.12
OTP-23.3.4.13
OTP-23.3.4.14
OTP-23.3.4.15
OTP-23.3.4.16
OTP-23.3.4.17
OTP-23.3.4.18
OTP-23.3.4.19
OTP-23.3.4.2
OTP-23.3.4.20
OTP-23.3.4.3
OTP-23.3.4.4
OTP-23.3.4.5
OTP-23.3.4.6
OTP-23.3.4.7
OTP-23.3.4.8
OTP-23.3.4.9
OTP-24.*
OTP-24.0
OTP-24.0-rc1
OTP-24.0-rc2
OTP-24.0-rc3
OTP-24.0.1
OTP-24.0.2
OTP-24.0.3
OTP-24.0.4
OTP-24.0.5
OTP-24.0.6
OTP-24.1
OTP-24.1.1
OTP-24.1.2
OTP-24.1.3
OTP-24.1.4
OTP-24.1.5
OTP-24.1.6
OTP-24.1.7
OTP-24.2
OTP-24.2.1
OTP-24.2.2
OTP-24.3
OTP-24.3.1
OTP-24.3.2
OTP-24.3.3
OTP-24.3.4
OTP-24.3.4.1
OTP-24.3.4.10
OTP-24.3.4.11
OTP-24.3.4.12
OTP-24.3.4.13
OTP-24.3.4.14
OTP-24.3.4.15
OTP-24.3.4.16
OTP-24.3.4.17
OTP-24.3.4.2
OTP-24.3.4.3
OTP-24.3.4.4
OTP-24.3.4.5
OTP-24.3.4.6
OTP-24.3.4.7
OTP-24.3.4.8
OTP-24.3.4.9
OTP-25.*
OTP-25.0
OTP-25.0-rc1
OTP-25.0-rc2
OTP-25.0-rc3
OTP-25.0.1
OTP-25.0.2
OTP-25.0.3
OTP-25.0.4
OTP-25.1
OTP-25.1.1
OTP-25.1.2
OTP-25.1.2.1
OTP-25.2
OTP-25.2.1
OTP-25.2.2
OTP-25.2.3
OTP-25.3
OTP-25.3.1
OTP-25.3.2
OTP-25.3.2.1
OTP-25.3.2.10
OTP-25.3.2.11
OTP-25.3.2.12
OTP-25.3.2.13
OTP-25.3.2.14
OTP-25.3.2.15
OTP-25.3.2.16
OTP-25.3.2.17
OTP-25.3.2.18
OTP-25.3.2.19
OTP-25.3.2.2
OTP-25.3.2.20
OTP-25.3.2.21
OTP-25.3.2.3
OTP-25.3.2.4
OTP-25.3.2.5
OTP-25.3.2.6
OTP-25.3.2.7
OTP-25.3.2.8
OTP-25.3.2.9
OTP-26.*
OTP-26.0
OTP-26.0-rc1
OTP-26.0-rc2
OTP-26.0-rc3
OTP-26.0.1
OTP-26.0.2
OTP-26.1
OTP-26.1.1
OTP-26.1.2
OTP-26.2
OTP-26.2.1
OTP-26.2.2
OTP-26.2.3
OTP-26.2.4
OTP-26.2.5
OTP-26.2.5.1
OTP-26.2.5.10
OTP-26.2.5.11
OTP-26.2.5.12
OTP-26.2.5.13
OTP-26.2.5.14
OTP-26.2.5.15
OTP-26.2.5.16
OTP-26.2.5.2
OTP-26.2.5.3
OTP-26.2.5.4
OTP-26.2.5.5
OTP-26.2.5.6
OTP-26.2.5.7
OTP-26.2.5.8
OTP-26.2.5.9
OTP-27.*
OTP-27.0
OTP-27.0-rc1
OTP-27.0-rc2
OTP-27.0-rc3
OTP-27.0.1
OTP-27.1
OTP-27.1.1
OTP-27.1.2
OTP-27.1.3
OTP-27.2
OTP-27.2.1
OTP-27.2.2
OTP-27.2.3
OTP-27.2.4
OTP-27.3
OTP-27.3.1
OTP-27.3.2
OTP-27.3.3
OTP-27.3.4
OTP-27.3.4.1
OTP-27.3.4.2
OTP-27.3.4.3
OTP-27.3.4.4
OTP-27.3.4.5
OTP-27.3.4.6
OTP-27.3.4.7
OTP-28.*
OTP-28.0
OTP-28.0-rc1
OTP-28.0-rc2
OTP-28.0-rc3
OTP-28.0-rc4
OTP-28.0.1
OTP-28.0.2
OTP-28.0.3
OTP-28.0.4
OTP-28.1
OTP-28.1.1
OTP-28.2
OTP-28.3
OTP-28.3.1
OTP-29.*
OTP-29.0-rc1
Other
patch-base-24
patch-base-25
patch-base-26
patch-base-27

Database specific

source 
"https://cna.erlef.org/osv/EEF-CVE-2026-21620.json"