{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5638", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-05T20:20:53.735Z", "datePublished": "2026-04-06T08:30:12.177Z", "dateUpdated": "2026-04-06T12:11:46.370Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-06T08:30:12.177Z"}, "title": "HerikLyma CPPWebFramework path traversal", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "Path Traversal"}]}], "affected": [{"vendor": "HerikLyma", "product": "CPPWebFramework", "versions": [{"version": "3.0", "status": "affected"}, {"version": "3.1", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in HerikLyma CPPWebFramework up to 3.1. This issue affects some unknown processing. Performing a manipulation results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-05T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-05T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-06T03:28:42.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Matan Sandori", "type": "finder"}, {"lang": "en", "value": "MatanS (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "MatanS (VulDB User)", "type": "analyst"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/355426", "name": "VDB-355426 | HerikLyma CPPWebFramework path traversal", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/355426/cti", "name": "VDB-355426 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/785952", "name": "Submit #785952 | HerikLyma CPPWebFramework <= 3.1 (HTTP Server Header) Relative Path Traversal", "tags": ["third-party-advisory"]}, {"url": "https://github.com/HerikLyma/CPPWebFramework/issues/40", "tags": ["issue-tracking"]}, {"url": "https://github.com/HerikLyma/CPPWebFramework/issues/40#issue-4118436068", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/HerikLyma/CPPWebFramework/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T12:06:19.837185Z", "id": "CVE-2026-5638", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T12:11:46.370Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5638", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T12:06:19.837185Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T12:07:44.256Z"}}], "cna": {"title": "HerikLyma CPPWebFramework path traversal", "credits": [{"lang": "en", "type": "finder", "value": "Matan Sandori"}, {"lang": "en", "type": "reporter", "value": "MatanS (VulDB User)"}, {"lang": "en", "type": "analyst", "value": "MatanS (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "HerikLyma", "product": "CPPWebFramework", "versions": [{"status": "affected", "version": "3.0"}, {"status": "affected", "version": "3.1"}]}], "timeline": [{"lang": "en", "time": "2026-04-05T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-05T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-06T03:28:42.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355426", "name": "VDB-355426 | HerikLyma CPPWebFramework path traversal", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/355426/cti", "name": "VDB-355426 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/785952", "name": "Submit #785952 | HerikLyma CPPWebFramework <= 3.1 (HTTP Server Header) Relative Path Traversal", "tags": ["third-party-advisory"]}, {"url": "https://github.com/HerikLyma/CPPWebFramework/issues/40", "tags": ["issue-tracking"]}, {"url": "https://github.com/HerikLyma/CPPWebFramework/issues/40#issue-4118436068", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/HerikLyma/CPPWebFramework/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in HerikLyma CPPWebFramework up to 3.1. This issue affects some unknown processing. Performing a manipulation results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Path Traversal"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-06T08:30:12.177Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5638", "state": "PUBLISHED", "dateUpdated": "2026-04-06T12:11:46.370Z", "dateReserved": "2026-04-05T20:20:53.735Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-06T08:30:12.177Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in HerikLyma CPPWebFramework up to 3.1. This issue affects some unknown processing. Performing a manipulation results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-5638", "lastModified": "2026-04-27T19:04:22.650", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-06T09:16:18.267", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/HerikLyma/CPPWebFramework/"}, {"source": "cna@vuldb.com", "url": "https://github.com/HerikLyma/CPPWebFramework/issues/40"}, {"source": "cna@vuldb.com", "url": "https://github.com/HerikLyma/CPPWebFramework/issues/40#issue-4118436068"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/785952"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355426"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355426/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "CPPWebFramework", "source": "cna", "vendor": "HerikLyma"}, "product": "cppwebframework", "vendor": "heriklyma"}], "analysis": {"en": {"generated_at": "2026-04-06T11:21:56.263289+00:00", "value": {"mitigation_remediation": ["Update to the latest CPPWebFramework release that fixes path traversal.", "If an update is not yet available, validate and sanitize all user\u2011supplied file paths on the server side.", "Restrict file system permissions for the application\u2019s web root to the minimal set required.", "Monitor web logs for anomalous path traversal patterns."], "summary": {"action": "Immediate Patch", "impact": "Remote File Access via Path Traversal"}, "threat_synthesis": {"affected_systems": "The affected product is HerikLyma\u202fCPPWebFramework. All releases up to the\u202f3.1 series are impacted; any deployment using these versions is susceptible.", "description_and_impact": "A vulnerability exists in HerikLyma's CPPWebFramework up to version 3.1 that permits path traversal. By crafting a request that manipulates file paths, an attacker can read arbitrary files on the server. The vulnerability is remote, meaning it can be triggered over the network without local interaction, and is categorized as CWE-22, which indicates unsafe file path handling.", "risk_and_exploitability": "The severity score is medium (CVSS\u202f6.9), with no publicly available EPSS data or KEV listing, but the exploit is publicly documented. Because it can be triggered via a normal HTTP request, an attacker with network access to the web application can exploit it. The lack of a released patch increases the risk; however, without code execution, the impact is limited to data disclosure rather than full system compromise."}}}}, "created": "2026-04-06T20:14:48.455153+00:00", "updated": "2026-04-06T21:33:06.150911+00:00", "vendors": ["heriklyma", "heriklyma$PRODUCT$cppwebframework"]}