{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2731", "assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "state": "PUBLISHED", "assignerShortName": "NCSC-FI", "dateReserved": "2026-02-19T05:59:41.416Z", "datePublished": "2026-02-19T06:46:52.763Z", "dateUpdated": "2026-02-19T21:21:36.185Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["JobRunnerBackground.aspx"], "platforms": ["Windows"], "product": "DynamicWeb 9", "vendor": "DynamicWeb", "versions": [{"status": "affected", "version": "8"}, {"lessThan": "9.19.7", "status": "affected", "version": "9", "versionType": "custom"}, {"lessThan": "9.20.3", "status": "affected", "version": "9.20.0", "versionType": "custom"}, {"status": "unaffected", "version": "9.21.0"}, {"status": "unaffected", "version": "10"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Vestberg, Reversec Sweden AB"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8 (all) and 9 (&lt;9.19.7 and &lt;9.20.3) allows unauthenticated attackers to execute code via simple web requests"}], "value": "Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8 (all) and 9 (<9.19.7 and <9.20.3) allows unauthenticated attackers to execute code via simple web requests"}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "CAPEC-650 Upload a Web Shell to a Web Server"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 10, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "shortName": "NCSC-FI", "dateUpdated": "2026-02-19T07:41:28.171Z"}, "references": [{"url": "https://doc.dynamicweb.dev/documentation/fundamentals/dw10release/security-reports.html#january-19th-2026---unauthenticated-rce-dynamicweb-9-and-dynamicweb-8"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2026-01-15T23:00:00.000Z", "value": "Vulnerability reported to vendor."}, {"lang": "en", "time": "2026-01-15T23:00:00.000Z", "value": "Vendor confirmed the vulnerability."}, {"lang": "en", "time": "2026-01-18T23:00:00.000Z", "value": "Vendor released a fix version of the product and published security advisory."}], "title": "Unauthenticated RCE in Dynamicweb 9 and Dynamicweb 8", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:21:24.359654Z", "id": "CVE-2026-2731", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:21:36.185Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2731", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-19T21:21:24.359654Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:21:30.296Z"}}], "cna": {"title": "Unauthenticated RCE in Dynamicweb 9 and Dynamicweb 8", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Jonas Vestberg, Reversec Sweden AB"}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "CAPEC-650 Upload a Web Shell to a Web Server"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "DynamicWeb", "modules": ["JobRunnerBackground.aspx"], "product": "DynamicWeb 9", "versions": [{"status": "affected", "version": "8"}, {"status": "affected", "version": "9", "lessThan": "9.19.7", "versionType": "custom"}, {"status": "affected", "version": "9.20.0", "lessThan": "9.20.3", "versionType": "custom"}, {"status": "unaffected", "version": "9.21.0"}, {"status": "unaffected", "version": "10"}], "platforms": ["Windows"], "defaultStatus": "unknown"}], "timeline": [{"lang": "en", "time": "2026-01-15T23:00:00.000Z", "value": "Vulnerability reported to vendor."}, {"lang": "en", "time": "2026-01-15T23:00:00.000Z", "value": "Vendor confirmed the vulnerability."}, {"lang": "en", "time": "2026-01-18T23:00:00.000Z", "value": "Vendor released a fix version of the product and published security advisory."}], "references": [{"url": "https://doc.dynamicweb.dev/documentation/fundamentals/dw10release/security-reports.html#january-19th-2026---unauthenticated-rce-dynamicweb-9-and-dynamicweb-8"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8 (all) and 9 (<9.19.7 and <9.20.3) allows unauthenticated attackers to execute code via simple web requests", "supportingMedia": [{"type": "text/html", "value": "Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8 (all) and 9 (&lt;9.19.7 and &lt;9.20.3) allows unauthenticated attackers to execute code via simple web requests", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "shortName": "NCSC-FI", "dateUpdated": "2026-02-19T07:41:28.171Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2731", "state": "PUBLISHED", "dateUpdated": "2026-02-19T21:21:36.185Z", "dateReserved": "2026-02-19T05:59:41.416Z", "assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "datePublished": "2026-02-19T06:46:52.763Z", "assignerShortName": "NCSC-FI"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8 (all) and 9 (<9.19.7 and <9.20.3) allows unauthenticated attackers to execute code via simple web requests"}, {"lang": "es", "value": "Salto de ruta e inyecci\u00f3n de contenido en JobRunnerBackground.aspx en DynamicWeb 8 (todas) y 9 (&lt;9.19.7 y &lt;9.20.3) permite a atacantes no autenticados ejecutar c\u00f3digo a trav\u00e9s de solicitudes web simples"}], "id": "CVE-2026-2731", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "type": "Secondary"}]}, "published": "2026-02-19T07:17:50.817", "references": [{"source": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "url": "https://doc.dynamicweb.dev/documentation/fundamentals/dw10release/security-reports.html#january-19th-2026---unauthenticated-rce-dynamicweb-9-and-dynamicweb-8"}], "sourceIdentifier": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows"], "status": "affected", "versions": {"scheme": "generic", "value": "8"}}, {"platform": ["windows"], "status": "affected", "versions": {"scheme": "generic", "value": "[9,9.19.7)"}}, {"platform": ["windows"], "status": "affected", "versions": {"scheme": "semver", "value": "[9.20.0,9.20.3)"}}, {"platform": ["windows"], "status": "unaffected", "versions": {"scheme": "semver", "value": "9.21.0"}}, {"platform": ["windows"], "status": "unaffected", "versions": {"scheme": "generic", "value": "10"}}], "enrichment": {"confidence": 95.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "matching"}]}, "original": {"product": "DynamicWeb 9", "source": "cna", "vendor": "DynamicWeb"}, "product": "dynamicweb", "vendor": "dynamicweb"}], "analysis": {"en": {"generated_at": "2026-04-17T18:15:06.441785+00:00", "value": {"mitigation_remediation": ["Obtain and install the latest DynamicWeb release that addresses the JobRunnerBackground.aspx path traversal flaw (versions 9.19.7 or later, or 9.20.3 or later for earlier releases).", "Restrict access to the /JobRunnerBackground.aspx endpoint by firewall or web\u2011application firewall rules, allowing only authenticated traffic and blocking path\u2011traversal patterns.", "Implement strict server\u2011side validation of file paths used by JobRunnerBackground.aspx, ensuring that only legitimate, whitelisted directories are accessible and that file system permissions prevent arbitrary code execution."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "DynamicWeb 8 (all releases) and DynamicWeb 9 (versions prior to 9.19.7 and prior to 9.20.3) are affected. The issue resides in the JobRunnerBackground.aspx component, which is widely used across these product generations.", "description_and_impact": "DynamicWeb\u2019s JobRunnerBackground.aspx is vulnerable to path traversal and content injection attacks that can be exploited without authentication. An attacker who sends crafted web requests can manipulate file paths and execute arbitrary code on the server, giving full control over the system. The vulnerability is classified as CWE-22, indicating a flaw in controlling access to file system paths.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 10, rating it as critical. The EPSS score is below 1%, indicating a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is remote, HTTP-based, and requires no authentication, allowing any internet-exposed attacker to exploit the flaw by sending specifically crafted requests to the vulnerable endpoint."}}}}, "created": "2026-02-20T10:11:29.098384+00:00", "updated": "2026-04-17T18:15:26.785798+00:00", "vendors": ["dynamicweb", "dynamicweb$PRODUCT$dynamicweb"]}