CVE-2026-61343
HIGH
7.2
CVSS 3.1
Description
LibreBooking's email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0.
Metadata
Severity & Metrics
7.2
HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| LibreBooking | LibreBooking | — | 0 < 5.1.0, 5.1.0 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-23 | cna | CWE-23 Relative Path Traversal |
CVSS scores (2)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 8.6 | HIGH | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| 7.2 | HIGH | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
References (5)
- url https://github.com/LibreBooking/librebooking/pull/1456
- url https://github.com/LibreBooking/librebooking/releases/tag/v5.1.0
- url https://github.com/LibreBooking/librebooking/commit/cb9b7ad9da0243bd105809f6a4a8a6b9147c71ea
- url https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-190-01.json
- url https://www.cve.org/CVERecord?id=CVE-2026-61343