CVE-2019-9889
Description
In Vanilla before 2.6.4, a flaw exists within the getSingleIndex function of the AddonManager class. The issue results in a require call using a crafted type value, leading to Directory Traversal with File Inclusion. An attacker can leverage this vulnerability to execute code under the context of the web server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal in Vanilla's AddonManager allows remote code execution via crafted add-on type parameter.
Vulnerability
The getSingleIndex function in the AddonManager class of Vanilla (before version 2.6.4) does not validate the type parameter, allowing a crafted value to be passed to a require call. This results in directory traversal combined with file inclusion. The vulnerability exists in versions prior to 2.6.4 [1][2].
Exploitation
An attacker must have the ability to supply a type value to the AddonManager, likely through a web request that triggers the vulnerable code path. No authentication is required if the endpoint is publicly accessible. By providing a path traversal sequence (e.g., ../../) in the type parameter, the attacker can include arbitrary PHP files from the server's filesystem.
Impact
Successful exploitation allows the attacker to include and execute arbitrary PHP files under the context of the web server. This can lead to remote code execution, full compromise of the application, and potential lateral movement within the hosting environment.
Mitigation
The fix was implemented in Vanilla version 2.6.4, released on October 29, 2018 [1][2]. The patch enforces allowed add-on types and keys, preventing arbitrary input from reaching the require call. Users should upgrade to 2.6.4 or later. No known workarounds are documented.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Vanilla_2.6.1, Vanilla_2.6.3, list+ 1 more
- (no CPE)range: Vanilla_2.6.1, Vanilla_2.6.3, list
- (no CPE)range: <2.6.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/vanilla/vanilla/compare/b043ae8...9f12b22mitrex_refsource_MISC
- github.com/vanilla/vanilla/pull/7840mitrex_refsource_MISC
- hackerone.com/reports/411140mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.