GHSA-824x-88xg-cwrv

Source

https://github.com/advisories/GHSA-824x-88xg-cwrv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-824x-88xg-cwrv/GHSA-824x-88xg-cwrv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-824x-88xg-cwrv

Aliases

CVE-2026-21857

Published

2026-01-05T20:02:58Z

Modified

2026-01-08T20:12:02.246793Z

Severity

8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator

Summary

Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read

Details

Summary

Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. <img width="664" height="899" alt="image" src="https://github.com/user-attachments/assets/fd1ca69e-b275-4daf-9a62-621cde6525f5" /> <img width="2358" height="445" alt="image" src="https://github.com/user-attachments/assets/fad81152-9e1b-413e-9823-09540a23e2fb" />

Details

The Backup addon does not validate the EXPDIR POST parameter against the UI-generated allowlist of permitted directories.
An attacker can supply relative paths containing ../ sequences (or even absolute paths inside the document root) to include any readable file in the generated .tar.gz archive.

Vulnerable code: - redaxo/src/addons/backup/pages/export.php (lines 72-76) – directly uses $_POST['EXPDIR'] - redaxo/src/addons/backup/lib/backup.php (lines ~413 & ~427) – concatenates unsanitized user input with base path

This allows disclosure of sensitive files such as: - redaxo/data/core/config.yml → database credentials + password hashes of all backend users - .env, custom configuration files, logs, uploaded malicious files, etc.

Affected versions

≤ 5.20.1 (confirmed working)

Patched versions

None (as of 2025-12-09)

PoC – Extracting database credentials and password hashes

Log in as any user with Backup permission
Go to Backup → Export → Files

Intercept the request with Burp Suite

Change one EXPDIR[] value to ../../../../var/www/html/redaxo/data/core

Send request → download archive <img width="423" height="131" alt="image" src="https://github.com/user-attachments/assets/db8a8bda-cdaf-4dea-812f-1e312da908e2" />
Extract and open data/core/config.yml <img width="859" height="281" alt="image" src="https://github.com/user-attachments/assets/c8112ce1-5a1d-435f-953b-7eb4e711e042" />

Result: plaintext database password <img width="2534" height="1198" alt="image" src="https://github.com/user-attachments/assets/218ae917-868a-437e-98b0-6471b82c0b10" />

Impact

Full compromise of the REDAXO installation: - Database takeover - Password hash extraction → offline cracking → admin access - When combined with other vulnerabilities → RCE

CVSS 4.0 vector & score below.

Credits

Discovered by: Łukasz Rybak

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-05T20:02:58Z",
    "severity": "HIGH",
    "nvd_published_at": "2026-01-07T23:15:50Z",
    "cwe_ids": [
        "CWE-22",
        "CWE-24"
    ]
}

References

Affected packages

Packagist / redaxo/source

Package

Name: redaxo/source
Purl: pkg:composer/redaxo/source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.20.2

Affected versions

5.*

5.10.0-beta1

5.10.0-beta2

5.10.0

5.10.1

5.11.0-beta1

5.11.0

5.11.1

5.11.2

5.12.0-beta1

5.12.0-beta2

5.12.0-beta3

5.12.0

5.12.1

5.13.0-beta1

5.13.0-beta2

5.13.0

5.13.1

5.13.2

5.13.3

5.14.0-beta1

5.14.0-beta2

5.14.0

5.14.1

5.14.2

5.14.3

5.15.0-beta1

5.15.0

5.15.1

5.16.0-beta1

5.16.0

5.16.1

5.17.0

5.17.1

5.18.0

5.18.1

5.18.2

5.18.3

5.19.0

5.20.0

5.20.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-824x-88xg-cwrv/GHSA-824x-88xg-cwrv.json"

last_known_affected_version_range

"<= 5.20.1"