High severityOSV Advisory· Published Jan 7, 2026· Updated Jan 8, 2026
Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read
CVE-2026-21857
Description
REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the EXPDIR POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing ../ sequences (or even absolute paths inside the document root) to include any readable file in the generated .tar.gz archive. Version 5.20.2 fixes this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
redaxo/sourcePackagist | < 5.20.2 | 5.20.2 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-824x-88xg-cwrvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21857ghsaADVISORY
- github.com/redaxo/redaxo/releases/tag/5.20.2ghsax_refsource_MISCWEB
- github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.