Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Blossom's File Upload Function Can Be Tricked into Accessing Wrong Files
CVE-2026-2623
Summary
The Blossom file upload function has a security issue that allows attackers to access files they shouldn't be able to reach. This could potentially allow them to view or modify sensitive data. We recommend updating Blossom to the latest version to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wangyunf | blossom | <= 1.17.1 | – |
Original title
A flaw has been found in Blossom up to 1.17.1. This issue affects the function put of the file blossom-backend/common/common-iaas/src/main/java/com/blossom/common/iaas/blos/BLOSManager.java of the ...
Original description
A flaw has been found in Blossom up to 1.17.1. This issue affects the function put of the file blossom-backend/common/common-iaas/src/main/java/com/blossom/common/iaas/blos/BLOSManager.java of the component File Upload. This manipulation causes path traversal. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
6.5
nvd CVSS3.1
8.8
nvd CVSS4.0
5.3
Vulnerability type
CWE-22
Path Traversal
- https://fx4tqqfvdw4.feishu.cn/docx/WmA3dzNfto3AxlxoFlqcu5amnXe Exploit Third Party Advisory
- https://vuldb.com/?ctiid.346274 Third Party Advisory VDB Entry
- https://vuldb.com/?id.346274 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.751988 Third Party Advisory VDB Entry
Published: 17 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026