CVE-2026-10075

Vulnerability

DreamMaker by Interinfo, specifically versions of Java Composer 2.2 and earlier, is vulnerable to an absolute path traversal flaw [1][2]. An unauthenticated remote attacker can exploit this vulnerability to read file names under arbitrary paths on the server. The issue is classified as CVE-2026-10075 with a CVSS v3 base score of 5.3 (Medium) [1].

Exploitation

An attacker does not require authentication or any prior access to the system [1][2]. The vulnerability is remotely exploitable over the network by sending crafted requests that leverage absolute path traversal sequences to navigate the filesystem. No user interaction or special privileges are needed for the attack to succeed [1].

Impact

Successful exploitation allows an attacker to enumerate file names under arbitrary paths on the server [1][2]. While this vulnerability does not directly allow file content disclosure or modification, it exposes the directory structure and file names, which can aid in further attacks. The confidentiality impact is assessed as low [1].

Mitigation

The vendor (Interinfo) has been notified and a solution is expected. As of the published date (2026-05-29), users are advised to update DreamMaker to the latest version once available [1][2]. No workaround has been disclosed in the available references.