Search criteria
1 vulnerability by ABC PRO SP. Z O.O.
CVE-2026-1186 (GCVE-0-2026-1186)
Vulnerability from cvelistv5 – Published: 2026-02-02 13:59 – Updated: 2026-02-02 17:32
VLAI?
Title
Path Traversal in EAP Legislator
Summary
EAP Legislator is vulnerable to Path Traversal in file extraction functionality. Attacker can prepare zipx archive (default file type used by the Legislator application) and choose arbitrary path outside the intended directory (e.x. system startup) where files will be extracted by the victim upon opening the file.
This issue was fixed in version 2.25a.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ABC PRO SP. Z O.O. | EAP Legislator |
Affected:
0 , ≤ 2.25
(custom)
|
Credits
Marcin Ressel
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1186",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-02T17:32:25.764299Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T17:32:58.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EAP Legislator",
"vendor": "ABC PRO SP. Z O.O.",
"versions": [
{
"lessThanOrEqual": "2.25",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marcin Ressel"
}
],
"datePublic": "2026-02-02T11:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EAP Legislator is vulnerable to Path Traversal in file extraction functionality. Attacker can prepare \u003cspan style=\"background-color: rgba(221, 223, 228, 0.1);\"\u003ezipx archive (default file type used by the Legislator application)\u003c/span\u003e and choose arbitrary path \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eoutside the intended directory (e.x. system startup)\u0026nbsp;\u003c/span\u003ewhere files \u003cspan style=\"background-color: rgba(221, 223, 228, 0.1);\"\u003ewill be extracted by the victim upon opening the file.\u003c/span\u003e\u003cbr\u003eThis issue was fixed in version 2.25a."
}
],
"value": "EAP Legislator is vulnerable to Path Traversal in file extraction functionality. Attacker can prepare zipx archive (default file type used by the Legislator application) and choose arbitrary path outside the intended directory (e.x. system startup)\u00a0where files will be extracted by the victim upon opening the file.\nThis issue was fixed in version 2.25a."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
},
{
"capecId": "CAPEC-549",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-549 Local Execution of Code"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T13:59:56.671Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"product"
],
"url": "https://abcpro.pl/eap-legislator"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2026/02/CVE-2026-1186"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Path Traversal in EAP Legislator",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-1186",
"datePublished": "2026-02-02T13:59:56.671Z",
"dateReserved": "2026-01-19T13:17:10.720Z",
"dateUpdated": "2026-02-02T17:32:58.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}