{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28507", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T20:57:47.709Z", "datePublished": "2026-03-06T04:12:43.557Z", "dateUpdated": "2026-03-06T16:08:06.876Z"}, "containers": {"cna": {"title": "Idno: Remote Code Execution via Chained Import File Write and Template Path Traversal", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/idno/idno/security/advisories/GHSA-37j7-56xc-c468", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/idno/idno/security/advisories/GHSA-37j7-56xc-c468"}, {"name": "https://github.com/idno/idno/releases/tag/1.6.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/idno/idno/releases/tag/1.6.4"}], "affected": [{"vendor": "idno", "product": "idno", "versions": [{"version": "< 1.6.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:12:43.557Z"}, "descriptions": [{"lang": "en", "value": "Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in version 1.6.4."}], "source": {"advisory": "GHSA-37j7-56xc-c468", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T15:58:17.703660Z", "id": "CVE-2026-28507", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:08:06.876Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28507", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T15:58:17.703660Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:58:18.762Z"}}], "cna": {"title": "Idno: Remote Code Execution via Chained Import File Write and Template Path Traversal", "source": {"advisory": "GHSA-37j7-56xc-c468", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "idno", "product": "idno", "versions": [{"status": "affected", "version": "< 1.6.4"}]}], "references": [{"url": "https://github.com/idno/idno/security/advisories/GHSA-37j7-56xc-c468", "name": "https://github.com/idno/idno/security/advisories/GHSA-37j7-56xc-c468", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/idno/idno/releases/tag/1.6.4", "name": "https://github.com/idno/idno/releases/tag/1.6.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in version 1.6.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:12:43.557Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28507", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:08:06.876Z", "dateReserved": "2026-02-27T20:57:47.709Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T04:12:43.557Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:withknown:known:*:*:*:*:*:*:*:*", "matchCriteriaId": "03C6A2FD-591E-4396-B7DF-AFE37782951B", "versionEndExcluding": "1.6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in version 1.6.4."}, {"lang": "es", "value": "Idno es una plataforma de publicaci\u00f3n social. Antes de la versi\u00f3n 1.6.4, existe una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s de la escritura encadenada de archivos de importaci\u00f3n y el salto de ruta de plantilla. Este problema ha sido parcheado en la versi\u00f3n 1.6.4."}], "id": "CVE-2026-28507", "lastModified": "2026-03-16T14:43:24.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T05:16:32.073", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/idno/idno/releases/tag/1.6.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/idno/idno/security/advisories/GHSA-37j7-56xc-c468"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "idno", "vendor": "idno"}], "analysis": {"en": {"generated_at": "2026-04-16T11:40:13.666146+00:00", "value": {"mitigation_remediation": ["Upgrade idno to version 1.6.4 or later", "If an immediate upgrade is infeasible, disable or restrict the import file functionality to prevent arbitrary file writes", "Restrict template path access and enforce strict input validation to eliminate path traversal and command execution"], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is idno, a social publishing platform. All releases prior to version 1.6.4 are vulnerable. The issue was addressed in release 1.6.4, so any instance running an earlier version should be considered at risk.", "description_and_impact": "The vulnerability originates from a chained import file write and template path traversal flaw that allows an attacker to execute arbitrary code on the host. The weakness is identified as CWE-78, reflecting improper handling of system command execution or file paths. An attacker can leverage this flaw to write malicious files to the server\u2019s file system and then load them as templates, effectively achieving full control over the targeted installation.", "risk_and_exploitability": "The CVSS score of 8.6 indicates a high severity impact. EPSS is below 1%, suggesting that the probability of exploitation observed in the wild is low at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, performed via the web interface, requiring the ability to submit import files and influence template paths. Although no public exploits have been documented, the combination of a remote entry point and the potential to gain code execution warrants immediate attention."}}}}, "created": "2026-03-06T14:55:55.534050+00:00", "updated": "2026-04-16T11:45:26.267222+00:00", "vendors": ["idno", "idno$PRODUCT$idno"]}