CVE-2026-5258
Description
A vulnerability was found in Sanster IOPaint 1.5.3. Impacted is the function _get_file of the file iopaint/file_manager/file_manager.py of the component File Manager. Performing a manipulation of the argument filename results in path traversal. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IOPaint 1.5.3 suffers from a path traversal vulnerability in the File Manager component, allowing remote attackers to read arbitrary files via a crafted filename parameter.
Root
Cause CVE-2026-5258 is a path traversal vulnerability in Sanster IOPaint version 1.5.3. The issue exists in the _get_file function within iopaint/file_manager/file_manager.py. When processing the filename argument, the application fails to properly sanitize user input, allowing directory traversal sequences such as ../ to access files outside the intended directory [1].
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication, though the exact preconditions are not detailed in the disclosure. The attack involves sending a crafted request with a malicious filename value that traverses directories. The exploit has been made publicly available, increasing the risk of widespread use [1].
Impact
Successful exploitation allows an attacker to read arbitrary files on the server, potentially including sensitive configuration data, source code, or other confidential information. This could lead to further compromise of the application or underlying system.
Mitigation
The vendor was contacted but did not respond. As of the publication date of this CVE, no patch or official workaround has been released. Users should consider restricting network access to the application, implementing input validation at the network layer, or migrating to an alternative solution until a fix becomes available [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.