CVE-2026-10073

Vulnerability

DreamMaker (Java Composer) versions 2.2 and earlier, developed by Interinfo, contain an arbitrary file read vulnerability due to improper input validation. The application fails to sanitize user-supplied path components, enabling relative path traversal (../) sequences. No authentication is required to reach the vulnerable endpoint, making it exploitable by unauthenticated local attackers [1][2].

Exploitation

An unauthenticated local attacker can send crafted HTTP requests containing ../ sequences to traverse directories outside the intended web root. By submitting a request with a path such as ../../../etc/passwd, the attacker can download arbitrary system files. No special privileges or user interaction are required [1][2].

Impact

Successful exploitation allows the attacker to download arbitrary files from the server's filesystem, potentially exposing sensitive configuration data, credentials, or source code. The compromise is limited to read access (confidentiality breach) and does not enable modification or execution; CVSS v3.1 base score is 7.5 (High) with a confidentiality impact of High [1][2].

Mitigation

The vendor has not yet released a fixed version in the available references. The recommended mitigation is to update DreamMaker Java Composer to a version newer than 2.2 once a patch is provided. Users should apply input validation filters that block path traversal sequences and restrict file access to the intended directory. No KEV listing is reported [1][2].