CVE-2026-4233
Awaiting Analysis Awaiting Analysis - Queue
Path Traversal in ThingsGateway /api/file/download Allows Remote Exploitation

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in ThingsGateway 12. This affects an unknown part of the file /api/file/download. The manipulation of the argument fileName leads to path traversal. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-03-16
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4233
EUVD
EUVD-2026-12399
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
thingsgateway thingsgateway 12
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in ThingsGateway version 12, specifically in the /api/file/download endpoint. It involves the manipulation of the fileName argument, which allows an attacker to perform a path traversal attack. This means an attacker can potentially access files and directories outside the intended scope by crafting malicious input.

The vulnerability can be exploited remotely, and there is a publicly available exploit. The vendor was informed about this issue but did not respond.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to access unauthorized files on the server running ThingsGateway 12 by exploiting the path traversal flaw. This could lead to exposure of sensitive information or configuration files that should not be accessible.

Since the exploit is publicly available and can be executed remotely without user interaction, it increases the risk of unauthorized data disclosure or further attacks leveraging the accessed files.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart