VYPR
← All advisories
Medium severity5.4NVD Advisory· Published Apr 26, 2026· Updated Apr 29, 2026

CVE-2026-7024

CVE-2026-7024

Description

A flaw has been found in rawchen sims up to 004f783b1db5ecdfad81c8fdc3b34171211112de. Affected by this issue is some unknown functionality of the file sims-master/src/web/servlet/file/DeleteFileServlet.java of the component deleteFileServlet Endpoint. Executing a manipulation of the argument filename can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unauthorized arbitrary file deletion vulnerability in rawchen/sims allows remote attackers to delete arbitrary files via path traversal in the deleteFileServlet endpoint.

Vulnerability in rawchen/sims up to commit 004f783b1db5ecdfad81c8fdc3b34171211112de. The deleteFileServlet endpoint in sims-master/src/web/servlet/file/DeleteFileServlet.java lacks authentication and input validation. The filename parameter is directly concatenated into a file path without sanitization, enabling path traversal [1].

An unauthenticated attacker can send a crafted GET request to the filename parameter (e.g., ../aaaa.txt) to delete arbitrary files on the server. The attack is remotely exploitable and does not require any privileges [1].

Successful exploitation can lead to deletion of critical system files, potentially causing system paralysis, data loss, or complete service failure [1].

The vendor was contacted but did not respond. No patch is available; the product does not use versioning. The exploit has been published, increasing the risk of active exploitation [1].

References
  1. rawchen/sims has a Unauthorized Arbitrary File Delete Vulnerability

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.