VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Feb 25, 2026· Updated Apr 29, 2026

CVE-2026-3188

CVE-2026-3188

Description

A security flaw has been discovered in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This affects an unknown part of the file /api/admin/common/download/templates of the component API. Performing a manipulation of the argument templateName results in path traversal. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.3.3-beta is able to mitigate this issue. The patch is named aefaabfd7527188bfba3c8c9eee17c316d094802. It is recommended to upgrade the affected component. The project was informed beforehand and acted very professional: "We have implemented path validity checks on parameters for the template download interface (...)"

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Path traversal in sz-boot-parent's /api/admin/common/download/templates allows authenticated attackers to read arbitrary server resource files.

A path traversal vulnerability exists in feiyuchuixue/sz-boot-parent versions up to and including 1.3.2-beta. The flaw is in the template download API endpoint /api/admin/common/download/templates. The templateName parameter is directly concatenated to the classpath-based path classpath:/templates/ without proper validation, allowing directory traversal sequences such as ../ to escape the intended directory [1][4].

An attacker who can access the admin API can craft a request with a malicious templateName value, e.g., ../application.yml, to read files outside the templates directory. The attack is remote and does not require elevated privileges beyond the ability to reach the API [4].

Successful exploitation enables reading arbitrary resource files on the server, which may include configuration files containing database credentials, API keys, and other sensitive data. This could lead to further compromise of the system [4].

The maintainers have addressed the issue in version 1.3.3-beta by implementing path validity checks on the templateName parameter. The patch is identified by commit aefaabfd7527188bfba3c8c9eee17c316d094802 [1]. Users are strongly advised to upgrade to this version or later [3].

References
  1. 修复:文件上传接口增加后缀和 MIME 类型白名单;模板下载接口校验路径合法性,非法路径仅返回错误提示,防止路径穿越;文件下载接口仅允许 … · feiyuchuixue/sz-boot-parent@aefaabf
  2. Release v1.3.3-beta · feiyuchuixue/sz-boot-parent
  3. CVE/sz-boot-parent-Path_Traversal_to_Arbitrary_Resource_File_Read.md at main · yuccun/CVE

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.