CVE-2026-1978
Unknown Unknown - Not Provided
Remote Manipulation Vulnerability in kalyan02 NanoCMS User Handler

Publication date: 2026-02-06

Last updated on: 2026-02-27

Assigner: VulDB

Description
A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this issue is some unknown functionality of the file /data/pagesdata.txt of the component User Information Handler. Performing a manipulation results in direct request. It is possible to initiate the attack remotely. The exploit is now public and may be used. You should change the configuration settings.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1978
EUVD
EUVD-2026-5600
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kalyan02 nanocms to 0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-425 The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation involves changing the configuration settings of NanoCMS to enforce proper authorization controls on the /data/pagesdata.txt file.

This will prevent unauthorized remote access to sensitive user information stored in that file.

Executive Summary

CVE-2026-1978 is a vulnerability in kalyan02 NanoCMS versions up to 0.4 that affects the User Information Handler component via the file /data/pagesdata.txt.

The issue is a direct request vulnerability where the web application fails to enforce proper authorization on this file, allowing remote attackers to directly access sensitive user information without authentication.

This happens because the CMS does not properly restrict access to the pagesdata.txt file, which stores user data, enabling attackers to retrieve sensitive administrator user information by sending direct web requests.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive user information, including administrator data, compromising confidentiality.

Attackers can remotely exploit this flaw without any authentication, making it easy to access sensitive data.

Such exposure can result in privacy breaches, potential identity theft, or further attacks leveraging the leaked information.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the file /data/pagesdata.txt is accessible without authentication on the target NanoCMS installation.'}, {'type': 'paragraph', 'content': 'One way to detect it is by attempting to directly request the file via HTTP, for example using curl or wget commands.'}, {'type': 'list_item', 'content': 'curl -I http://target-website.com/data/pagesdata.txt'}, {'type': 'list_item', 'content': 'wget --spider http://target-website.com/data/pagesdata.txt'}, {'type': 'paragraph', 'content': "Additionally, Google dorking can be used to find vulnerable targets by searching for URLs containing 'inurl:data/pagesdata.txt'."}, {'type': 'list_item', 'content': 'Google search query: inurl:data/pagesdata.txt'}] [3, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1978. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart