Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
CVE-2026-9508: Suprema BioStar 2 allows public access to sensitive backup files
CVE-2026-9508
Summary
A security flaw in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) allows anyone on the network to download sensitive backup files without a password. This is a concern because the files contain important information that could be used to access the server or other parts of the system. To fix this issue, update to a newer version of BioStar 2 that addresses this problem.
Original title
Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path...
Original description
Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.
nvd CVSS4.0
10.0
Vulnerability type
CWE-732
Incorrect Permission Assignment for Critical Resource
Published: 29 May 2026 · Updated: 31 May 2026 · First seen: 29 May 2026