CVE-2026-6057

Critical

Published: 10 April 2026

Published

10 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API that allows remote attackers to write arbitrary files and achieve remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates path traversal (CWE-22) by requiring validation of file paths in unauthenticated upload API requests to block arbitrary file writes.

SI-2 Flaw Remediation good match

prevent

Mandates timely patching of the specific flaw in FalkorDB Browser 1.9.3 as provided in the vendor's GitHub pull request #1611.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires identification and authentication for non-organizational users (remote attackers), blocking unauthenticated access to the vulnerable file upload API.

Security SummaryAI

CVE-2026-6057 is an unauthenticated path traversal vulnerability (CWE-22) in the file upload API of FalkorDB Browser version 1.9.3. This flaw enables remote attackers to write arbitrary files outside the intended directory, potentially leading to remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of required privileges.

Remote attackers can exploit this vulnerability without authentication by sending specially crafted requests to the file upload API, traversing directory paths to overwrite or create files in sensitive locations such as web roots or executable directories. Successful exploitation allows arbitrary file writes, which can result in remote code execution on the affected server, granting attackers full control over the system including data exfiltration, persistence, or lateral movement.

Mitigation details are referenced in the FalkorDB Browser GitHub repository and pull request #1611, which addresses the issue through a code fix available for integration. Security practitioners should update to a patched version beyond 1.9.3 and review file upload endpoints for similar path traversal risks.

Details

CWE(s): CWE-22

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated path traversal in public-facing file upload API enables arbitrary file writes leading to RCE, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/FalkorDB/falkordb-browser
33c584b5-0579-4c06-b2a0-8d8329fcab9c
https://github.com/FalkorDB/falkordb-browser/pull/1611
33c584b5-0579-4c06-b2a0-8d8329fcab9c