VYPR
← All advisories
High severityNVD Advisory· Published Jun 11, 2026· Updated Jun 11, 2026

CVE-2026-8464

CVE-2026-8464

Description

Golem OEE MES versions before 11.6.0 are vulnerable to unauthenticated path traversal, allowing local network attackers to read arbitrary server files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Golem OEE MES versions before 11.6.0 are vulnerable to unauthenticated path traversal, allowing local network attackers to read arbitrary server files.

Vulnerability

Golem OEE MES, an OEE/MES system by Neuron Soft, is vulnerable to an unauthenticated path traversal flaw (CWE-22) in its HTTP request handling. An attacker on the same local network can manipulate HTTP request paths to read arbitrary files from the server's operating system. All versions prior to 11.6.0 are affected [2].

Exploitation

An attacker needs only network access to the same local segment as the vulnerable server; no authentication or user interaction is required. By sending crafted HTTP requests containing path traversal sequences (e.g., ../), the attacker can navigate outside the intended web root and access any file readable by the server process [2].

Impact

Successful exploitation allows an unauthenticated attacker to read arbitrary files from the server's file system, leading to information disclosure. This could expose sensitive data such as configuration files, credentials, or proprietary business information [2].

Mitigation

The vulnerability is fixed in version 11.6.0, released on 2026-05-05 [1]. Users should upgrade to this version immediately. No workarounds are documented, and the issue is not listed on CISA's Known Exploited Vulnerabilities catalog as of publication [2].

References
  1. [GD] File Download – Pomoc systemu Golem OEE MES
  2. Podatność w oprogramowaniu Golem OEE MES

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.