Back to overview

CVE-2026-60114

HIGH Exploitation: PoC
7.5
CVSS 3.1
Description
Sustainable Irrigation Platform (SIP) through version 5.2.16 contains a path traversal vulnerability that allows attackers with access to the restore functionality to write files to arbitrary locations by uploading crafted JSON backup files with unvalidated keys used to construct file paths. Attackers can exploit the lack of key validation in the JSON restore process, combined with the absence of a required passphrase in the default configuration or the default passphrase 'opendoor', to write arbitrary JSON files outside the intended data directory.

Metadata

CVE ID
CVE-2026-60114
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-08 13:27 UTC
Published
2026-07-14 14:37 UTC
Last updated
2026-07-14 15:22 UTC
Primary CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory …
Vendor / Product
Dan-in-CA / SIP
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
Dan-in-CA SIP 0 ≤ 5.2.16
Weakness (CWE)
CWESourceDescription
CWE-22 cna Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Back to overview