{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3013", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-02-23T08:24:04.937Z", "datePublished": "2026-03-11T14:58:16.502Z", "dateUpdated": "2026-03-11T15:52:08.010Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Coppermine Photo Gallery", "repo": "https://github.com/coppermine-gallery/cpg1.6.x", "vendor": "Coppermine Photo Gallery", "versions": [{"lessThan": "1.6.28", "status": "affected", "version": "1.6.09", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jan Pawe\u0142 Klim"}], "datePublic": "2026-03-09T10:55:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Coppermine Photo Gallery in versions 1.6.09 through 1.6.27&nbsp;is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow to read content of any file accessible by the the web server process.<p>This issue was fixed in version 1.6.28.<br></p>"}], "value": "Coppermine Photo Gallery in versions 1.6.09 through 1.6.27\u00a0is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow to read content of any file accessible by the the web server process.This issue was fixed in version 1.6.28."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-03-11T14:58:16.502Z"}, "references": [{"url": "https://cert.pl/en/posts/2026/03/CVE-2026-3013"}, {"url": "https://github.com/coppermine-gallery/cpg1.6.x/releases/tag/v1.6.28"}], "source": {"discovery": "EXTERNAL"}, "tags": ["x_open-source"], "title": "Path Traversal in Coppermine Photo Gallery", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T15:51:56.443641Z", "id": "CVE-2026-3013", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:52:08.010Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3013", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T15:51:56.443641Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:51:58.736Z"}}], "cna": {"tags": ["x_open-source"], "title": "Path Traversal in Coppermine Photo Gallery", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Jan Pawe\u0142 Klim"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/coppermine-gallery/cpg1.6.x", "vendor": "Coppermine Photo Gallery", "product": "Coppermine Photo Gallery", "versions": [{"status": "affected", "version": "1.6.09", "lessThan": "1.6.28", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-09T10:55:00.000Z", "references": [{"url": "https://cert.pl/en/posts/2026/03/CVE-2026-3013"}, {"url": "https://github.com/coppermine-gallery/cpg1.6.x/releases/tag/v1.6.28"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Coppermine Photo Gallery in versions 1.6.09 through 1.6.27\u00a0is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow to read content of any file accessible by the the web server process.This issue was fixed in version 1.6.28.", "supportingMedia": [{"type": "text/html", "value": "Coppermine Photo Gallery in versions 1.6.09 through 1.6.27&nbsp;is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow to read content of any file accessible by the the web server process.<p>This issue was fixed in version 1.6.28.<br></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-03-11T14:58:16.502Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3013", "state": "PUBLISHED", "dateUpdated": "2026-03-11T15:52:08.010Z", "dateReserved": "2026-02-23T08:24:04.937Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2026-03-11T14:58:16.502Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Coppermine Photo Gallery in versions 1.6.09 through 1.6.27\u00a0is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow to read content of any file accessible by the the web server process.This issue was fixed in version 1.6.28."}, {"lang": "es", "value": "Coppermine Photo Gallery en las versiones 1.6.09 a la 1.6.27 es vulnerable a salto de ruta. Un atacante remoto no autenticado puede explotar un endpoint vulnerable y construir cargas \u00fatiles que permiten leer el contenido de cualquier archivo accesible por el proceso del servidor web. Este problema fue corregido en la versi\u00f3n 1.6.28."}], "id": "CVE-2026-3013", "lastModified": "2026-04-27T19:22:08.623", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2026-03-11T15:16:32.097", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2026/03/CVE-2026-3013"}, {"source": "cvd@cert.pl", "url": "https://github.com/coppermine-gallery/cpg1.6.x/releases/tag/v1.6.28"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cvd@cert.pl", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.6.09,1.6.28)"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "Coppermine Photo Gallery", "source": "cna", "vendor": "Coppermine Photo Gallery"}, "product": "coppermine_photo_gallery", "vendor": "coppermine-gallery"}], "analysis": {"en": {"generated_at": "2026-03-17T15:59:18.249570+00:00", "value": {"mitigation_remediation": ["Apply Coppermine Photo Gallery version 1.6.28 or later"], "summary": {"action": "Patch Immediately", "impact": "Remote File Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is Coppermine Photo Gallery. All releases from 1.6.09 up to 1.6.27 are vulnerable. The issue was resolved in release 1.6.28.", "description_and_impact": "A path traversal vulnerability exists in Coppermine Photo Gallery versions 1.6.09 through 1.6.27. An unauthenticated remote attacker can construct a request to a vulnerable endpoint, causing the web server to resolve directory traversal sequences and read arbitrary files that the web server process can access. The primary impact is the unauthorized disclosure of sensitive information that resides on the server, as the attacker can read any file permitted by the web server process, which may include configuration files, credentials, or other private data. This weakness is characterized as a classic path traversal issue (CWE-22).", "risk_and_exploitability": "The CVSS score for this vulnerability is 8.7, reflecting a high severity due to its remote nature and significant impact on confidentiality. The EPSS score is below 1%, indicating that, historically, exploitation is relatively rare, and the is not listed in the CISA KEV catalog. Nevertheless, because an unauthenticated attacker can read arbitrary files, the risk for organizations running the affected versions is substantial and should be mitigated promptly. The attack can be performed over standard HTTP requests and does not require special privileges or prior compromise."}}}}, "created": "2026-03-12T10:05:47.413116+00:00", "updated": "2026-03-23T09:55:33.761722+00:00", "vendors": ["coppermine-gallery", "coppermine-gallery$PRODUCT$coppermine_photo_gallery"]}