CVE-2026-30996
Directory Traversal in SAC-NFe download.php Allows Arbitrary File Read
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| softsul | sac-nfe | to 2.0.02 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30996 is a critical unauthenticated Path Traversal vulnerability in the SAC-NFe v2.0.02 system, specifically in the download.php and open_pdf.php components.
The vulnerability arises because these components accept a user-supplied 'file' parameter without proper validation or sanitization, directly passing it to PHP's readfile() function.
Attackers can exploit this by crafting GET requests with directory traversal sequences (like '../') to read arbitrary files on the host system, bypassing intended directory restrictions.
This allows unauthorized access to sensitive files such as Windows system files, executable binaries, PHP configuration files, application source code, and fiscal configuration files containing database credentials.
How can this vulnerability impact me? :
This vulnerability poses a high risk to data confidentiality and integrity, especially in public sector fiscal management systems using SAC-NFe.
Attackers can read sensitive system and application files without authentication, potentially exposing critical configuration data, credentials, and system information.
Such unauthorized access can lead to further exploitation, data breaches, and compromise of the affected system's security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access sensitive files through crafted HTTP GET requests targeting the download.php or open_pdf.php endpoints with a manipulated `file` parameter.
For example, using cURL commands to test directory traversal sequences like `../` or absolute paths can reveal if the system is vulnerable.
- curl "http://target/download.php?file=../../../../../../Windows/win.ini"
- curl "http://target/open_pdf.php?file=C:/Windows/System32/drivers/etc/services"
If the response returns the contents of these sensitive files, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves modifying the application code to prevent directory traversal attacks.
- Hardcode a fixed base directory from which files can be served.
- Use PHP's `basename()` function to strip directory traversal sequences from the `file` parameter.
- Validate that the requested file resides strictly within the authorized directory before serving it.
These steps prevent arbitrary path traversal and unauthorized file disclosure until an official patch is available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to read arbitrary files on the system, including sensitive files such as fiscal configuration files containing database credentials and application source code. This unauthorized access to sensitive data poses a high risk to data confidentiality and integrity.
Such exposure of sensitive information can lead to non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data to prevent unauthorized disclosure.
Since the vulnerability affects public sector fiscal management systems, failure to address it could result in violations of regulatory requirements related to data security and privacy.