High severityOSV Advisory· Published Jan 7, 2026· Updated Jan 8, 2026
Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read
CVE-2026-21857
Description
REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the EXPDIR POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing ../ sequences (or even absolute paths inside the document root) to include any readable file in the generated .tar.gz archive. Version 5.20.2 fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
redaxo/sourcePackagist | < 5.20.2 | 5.20.2 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-824x-88xg-cwrvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21857ghsaADVISORY
- github.com/redaxo/redaxo/releases/tag/5.20.2ghsax_refsource_MISCWEB
- github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.