CVE-2026-41412— alf.io vulnerable to Arbitrary File Read and Exfil via simpleHttpClient Extension Script
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41412
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
alf.io vulnerable to Arbitrary File Read and Exfil via simpleHttpClient Extension Script
Source: NVD (National Vulnerability Database)
Vulnerability Description
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, the alf.io extension sandbox injects a fully-functional HTTP client (`simpleHttpClient`) into every extension script's scope. The `postFileAndSaveResponse()` method accepts an arbitrary filesystem path as its `file` parameter and reads the file contents using `new FileInputStream(file)` with no path validation, directory restriction, or allowlist. A malicious extension script can read any file accessible to the JVM process user and exfiltrate it to an attacker-controlled server via HTTP POST. Version 2.0-M5-2606 patches the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| alfio-event | alf.io | < 2.0-M5-2606 | - |
II. Public POCs for CVE-2026-41412
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41412
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-41412 (1)
IV. Related Vulnerabilities
Same product: alf.io
- CVE-2026-35482
alf.io has an Authenticated RCE via Extension Script Sandbox - CVE-2024-45300
Bypassing promo code limitations with race conditions - CVE-2024-45299
alf.io's preloaded data as json is not escaped correctly - CVE-2024-25634
IDOR make user can read e-mail log sent by other events - CVE-2024-25635
IDOR Vulnerability: Allowing Organization Owner to view the
Same vendor: alfio-event
- CVE-2026-35482
alf.io has an Authenticated RCE via Extension Script Sandbox - CVE-2024-45300
Bypassing promo code limitations with race conditions - CVE-2024-45299
alf.io's preloaded data as json is not escaped correctly - CVE-2024-25634
IDOR make user can read e-mail log sent by other events - CVE-2024-25635
IDOR Vulnerability: Allowing Organization Owner to view the
Same weakness: CWE-22
- CVE-2026-49144
BrowserStack Runner 0.9.5 Path Traversal via _default HTTP H - CVE-2026-32685
Path Traversal in gleam docs build via documentation.pages A - CVE-2026-43965
Path Traversal in build/packages/packages.toml Allows Arbitr - CVE-2026-49136
Banana Slides 0.4.0 Path Traversal via generate_image() in a - CVE-2026-43624
F5-TTS 1.1.20 Path Traversal via finetune_gradio.py create_d
V. Comments for CVE-2026-41412
No comments yet