Vulnerability Description
REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Version 5.20.2 fixes this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redaxo | Redaxo | < 5.20.2 |
Related Weaknesses (CWE)
References
- https://github.com/redaxo/redaxo/releases/tag/5.20.2Release Notes
- https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrvExploitVendor Advisory
- https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrvExploitVendor Advisory
FAQ
What is CVE-2026-21857?
CVE-2026-21857 is a vulnerability with a CVSS score of 6.5 (MEDIUM). REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon...
How severe is CVE-2026-21857?
CVE-2026-21857 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-21857?
Check the references section above for vendor advisories and patch information. Affected products include: Redaxo Redaxo.