IM
IronMonkey Threat Research

CVE-2026-16219 MEDIUM

Published: 2026-07-19 | Last Modified: 2026-07-19 | Status: Received

Description

A flaw has been found in Croogo CMS up to 4.0.7. This affects the function FileManager::isEditable of the file FileManager/src/Utility/FileManager.php of the component Admin File Manager. This manipulation causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Metrics

Base Score: 6.3 (MEDIUM)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack VectorNETWORK
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactLOW
Integrity ImpactLOW
Availability ImpactLOW

Source: [email protected]

Type: Primary

Exploitability Score: 2.8

Impact Score: 3.4

Base Score: 6.5 (MEDIUM)

AV:N/AC:L/Au:S/C:P/I:P/A:P

Access VectorNETWORK
Access ComplexityLOW
AuthenticationSINGLE
Confidentiality ImpactPARTIAL
Integrity ImpactPARTIAL
Availability ImpactPARTIAL

Source: [email protected]

Type: Secondary

Exploitability Score: 8.0

Impact Score: 6.4

Base Score: 2.1 (LOW)

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack VectorNETWORK
Attack ComplexityLOW
Attack RequirementsNONE
Privileges RequiredLOW
User InteractionNONE
Vulnerability ConfidentialityLOW
Vulnerability IntegrityLOW
Vulnerability AvailabilityLOW
Subsequent ConfidentialityNONE
Subsequent IntegrityNONE
Subsequent AvailabilityNONE

Source: [email protected]

Type: Secondary

Weaknesses

Source Type Description
[email protected] Primary
en CWE-22
Notification
Message here