VYPR
High severityOSV Advisory· Published Jan 22, 2026· Updated Apr 15, 2026

CVE-2023-7335

CVE-2023-7335

Description

EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the server filesystem, including application configuration files such as config/parameters.yml that may contain secrets and database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-19 (UTC).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Edusoho/EdusohoOSV2 versions
    v1.0.0, v1.0.37, v1.1.0, …+ 1 more
    • (no CPE)range: v1.0.0, v1.0.37, v1.1.0, …
    • (no CPE)range: <22.4.7

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.