{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1978", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-05T13:39:52.300Z", "datePublished": "2026-02-06T04:02:07.172Z", "dateUpdated": "2026-02-23T09:20:50.974Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:20:50.974Z"}, "title": "kalyan02 NanoCMS User Information pagesdata.txt direct request", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-425", "lang": "en", "description": "Direct Request"}]}], "affected": [{"vendor": "kalyan02", "product": "NanoCMS", "versions": [{"version": "0.1", "status": "affected"}, {"version": "0.2", "status": "affected"}, {"version": "0.3", "status": "affected"}, {"version": "0.4", "status": "affected"}], "cpes": ["cpe:2.3:a:kalyan02:nanocms:*:*:*:*:*:*:*:*"], "modules": ["User Information Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this issue is some unknown functionality of the file /data/pagesdata.txt of the component User Information Handler. Performing a manipulation results in direct request. It is possible to initiate the attack remotely. The exploit is now public and may be used. You should change the configuration settings."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:C"}}], "timeline": [{"time": "2026-02-05T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-05T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-07T14:37:47.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "g111 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.344500", "name": "VDB-344500 | kalyan02 NanoCMS User Information pagesdata.txt direct request", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344500", "name": "VDB-344500 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.743260", "name": "Submit #743260 | SourceCodester NanoCMS V0.4 Sensitive document leak", "tags": ["third-party-advisory"]}, {"url": "https://github.com/kalyan02/NanoCMS/blob/master/data/pagesdata.txt", "tags": ["exploit"]}, {"url": "https://github.com/kalyan02/NanoCMS/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T19:34:54.560139Z", "id": "CVE-2026-1978", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T19:35:04.338Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1978", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-06T19:34:54.560139Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T19:34:59.359Z"}}], "cna": {"title": "kalyan02 NanoCMS User Information pagesdata.txt direct request", "credits": [{"lang": "en", "type": "reporter", "value": "g111 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:kalyan02:nanocms:*:*:*:*:*:*:*:*"], "vendor": "kalyan02", "modules": ["User Information Handler"], "product": "NanoCMS", "versions": [{"status": "affected", "version": "0.1"}, {"status": "affected", "version": "0.2"}, {"status": "affected", "version": "0.3"}, {"status": "affected", "version": "0.4"}]}], "timeline": [{"lang": "en", "time": "2026-02-05T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-05T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-07T14:37:47.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.344500", "name": "VDB-344500 | kalyan02 NanoCMS User Information pagesdata.txt direct request", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344500", "name": "VDB-344500 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.743260", "name": "Submit #743260 | SourceCodester NanoCMS V0.4 Sensitive document leak", "tags": ["third-party-advisory"]}, {"url": "https://github.com/kalyan02/NanoCMS/blob/master/data/pagesdata.txt", "tags": ["exploit"]}, {"url": "https://github.com/kalyan02/NanoCMS/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this issue is some unknown functionality of the file /data/pagesdata.txt of the component User Information Handler. Performing a manipulation results in direct request. It is possible to initiate the attack remotely. The exploit is now public and may be used. You should change the configuration settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-425", "description": "Direct Request"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:20:50.974Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1978", "state": "PUBLISHED", "dateUpdated": "2026-02-23T09:20:50.974Z", "dateReserved": "2026-02-05T13:39:52.300Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-06T04:02:07.172Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kalyan02:nanocms:*:*:*:*:*:*:*:*", "matchCriteriaId": "5BEC85B3-49E2-4C0C-9421-852443ADA842", "versionEndIncluding": "0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this issue is some unknown functionality of the file /data/pagesdata.txt of the component User Information Handler. Performing a manipulation results in direct request. It is possible to initiate the attack remotely. The exploit is now public and may be used. You should change the configuration settings."}, {"lang": "es", "value": "Una vulnerabilidad fue detectada en kalyan02 NanoCMS hasta 0.4. Afectada por este problema es alguna funcionalidad desconocida del archivo /data/pagesdata.txt del componente User Information Handler. Realizar una manipulaci\u00f3n resulta en solicitud directa. Es posible iniciar el ataque remotamente. El exploit es ahora p\u00fablico y puede ser usado. Deber\u00eda cambiar la configuraci\u00f3n."}], "id": "CVE-2026-1978", "lastModified": "2026-02-27T20:10:36.533", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-06T05:16:10.170", "references": [{"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://github.com/kalyan02/NanoCMS/"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://github.com/kalyan02/NanoCMS/blob/master/data/pagesdata.txt"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.344500"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.344500"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.743260"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-425"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T13:40:10.947621+00:00", "value": {"mitigation_remediation": ["Upgrade NanoCMS to a version newer than 0.4 that addresses the direct request issue.", "Modify the NanoCMS configuration to restrict or disable direct access to /data/pagesdata.txt, ensuring it is accessible only to authorized users.", "Apply proper file permissions and access controls to the /data/pagesdata.txt file to prevent exposure to unauthenticated clients."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "kalyan02 NanoCMS versions up to and including 0.4 are affected. The vulnerability is tied to the User Information Handler attempting to read or expose the pagesdata.txt file. No later versions have been identified as unpatched for this issue.", "description_and_impact": "A vulnerability exists in the kalyan02 NanoCMS component that handles user information. The flaw resides in the /data/pagesdata.txt file, which can be accessed directly when a specific manipulation is performed. The result is a direct request to the file and the exposure of potentially sensitive user data. The attack can be initiated remotely, allowing an adversary to retrieve this information without authentication.", "risk_and_exploitability": "The CVSS score of 6.9 denotes a moderate severity, with an EPSS of less than 1% indicating a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by sending crafted HTTP requests to the NanoCMS instance. Since the exploit is publicly available and requires only a remote request, organizations running affected versions face a moderate risk that could lead to unauthorized disclosure of user information if the file is accessible over the network."}}}}, "created": "2026-02-06T12:04:54.993691+00:00", "updated": "2026-04-18T13:45:45.676111+00:00", "vendors": ["kalyan02", "kalyan02$PRODUCT$nanocms"]}