CyberRota
← Ana sayfaya dön

CVE-2026-48049

MEDIUM · CVSS 5.3 Public Exploit

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-17T22:17:14.557 · Çekilme zamanı: 2026-07-18T00:07:28.778893+00:00

CyberRota Yorumu

Uzaktan istismar edilebilir olabilir.

Public Exploit Sinyali

Bu CVE için açıklama veya referanslarda public exploit / PoC / GitHub / Metasploit sinyali tespit edildi.

Not: Bu bağlantılar yalnızca güvenlik araştırması ve doğrulama amacıyla listelenmiştir.

CVE
CVE-2026-48049
Severity
MEDIUM
CVSS
5.3
EPSS
Yok

Orijinal NVD Açıklaması

@hapi/inert provides static file and directory handlers for hapi.js. From 4.0.0 to 7.1.0, @hapi/inert serves static files from a directory configured with path in the directory or file handlers or relativeTo for h.file(), with confinement enforced by the confine option, but the confinement check compared the resolved absolute path against the confine directory using a raw string-prefix test, so a sibling directory such as /app/static-secret next to /app/static was incorrectly accepted and could allow an unauthenticated remote attacker to read files via /..%2fstatic-secret/secret.txt. This issue is fixed in version 7.1.1.