CVE-2026-1812

MediumPublic PoC

Published: 03 February 2026

Published

03 February 2026

Modified

03 March 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0011 28.8th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in bolo-blog bolo-solo up to 2.6.4. This impacts the function importFromCnblogs of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component Filename Handler. The manipulation of the argument File leads to path traversal. It is possible to initiate…

the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the path traversal vulnerability by requiring validation of the File argument in importFromCnblogs to block traversal sequences like '../'.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of the unremediated path traversal flaw in BackupService.java.

SC-7 Boundary Protection partial match

prevent

Boundary protection mechanisms like web application firewalls can inspect and block remote path traversal payloads targeting the vulnerable Filename Handler component.

Security SummaryAI

CVE-2026-1812 is a path traversal vulnerability (CWE-22) affecting bolo-blog bolo-solo versions up to 2.6.4. The issue resides in the importFromCnblogs function within the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the Filename Handler component, where manipulation of the File argument enables traversal outside intended directories.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), resulting in a CVSS v3.1 base score of 6.3. The scope remains unchanged (S:U).

Advisories from VulDB indicate the vulnerability was reported to the project early via GitHub issue #328, but the maintainers have not responded or issued patches as of the CVE publication on 2026-02-03. Practitioners should monitor the bolo-blog/bolo-solo GitHub repository for updates.

The exploit has been publicly disclosed and may be actively used, though no confirmed real-world exploitation is reported in available data.

Details

CWE(s): CWE-22

Affected Products

adlered

bolo-solo

≤ 2.6.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal vulnerability (CWE-22) in public-facing blog application (bolo-blog/bolo-solo) enables remote exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/bolo-blog/bolo-solo/
Product · cna@vuldb.com
https://github.com/bolo-blog/bolo-solo/issues/328
Exploit, Issue Tracking, Vendor Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.343980
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.343980
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.742582
Third Party Advisory, VDB Entry · cna@vuldb.com