CVE-2026-5258
Received Received - Intake
Path Traversal in Sanster IOPaint File Manager Allows Remote Exploit

Publication date: 2026-04-01

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in Sanster IOPaint 1.5.3. Impacted is the function _get_file of the file iopaint/file_manager/file_manager.py of the component File Manager. Performing a manipulation of the argument filename results in path traversal. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5258
EUVD
EUVD-2026-17821
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sanster iopaint to 1.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5258 is a path traversal vulnerability in Sanster IOPaint version 1.5.3, specifically in the File Manager component's _get_file() function. This function takes a filename argument from HTTP GET requests and concatenates it directly with a base directory path without any validation or sanitization.

Because the filename parameter is not checked for malicious sequences like '../', an attacker can manipulate it to access files outside the intended directory. This allows reading arbitrary files on the server remotely without authentication.

The vulnerability affects endpoints such as GET /api/v1/media_file and GET /api/v1/media_thumbnail_file, and the server must be started with the --input parameter pointing to a directory for the File Manager to be enabled.

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to read any file accessible by the IOPaint process user on the server.

  • Attackers can access sensitive system files such as /etc/passwd and /etc/hosts.
  • They can read application source code and configuration files.
  • Cryptographic keys, including SSH private keys, can be exposed.
  • User data stored on the server may also be compromised.

The lack of any authentication mechanism in IOPaint makes exploitation easier, as any network client can exploit this vulnerability.

Detection Guidance

This vulnerability can be detected by monitoring HTTP GET requests to the affected endpoints for path traversal patterns such as '../' sequences in the filename parameter.

Specifically, look for requests to the following endpoints with suspicious filename parameters:

  • GET /api/v1/media_file
  • GET /api/v1/media_thumbnail_file

You can use network monitoring tools like tcpdump or Wireshark to capture HTTP traffic and grep for path traversal patterns.

Example command to detect such attempts in web server logs or captured traffic:

  • grep -E "GET .*filename=.*\.\./" access.log
  • tcpdump -A -s 0 'tcp port 80' | grep -E "GET .*filename=.*\.\./"

Additionally, you can test the vulnerability by sending crafted HTTP GET requests with path traversal sequences in the filename parameter to see if arbitrary files are returned.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable IOPaint File Manager endpoints and disabling the File Manager feature if possible.

Since the vulnerability allows unauthenticated remote file reads, you should:

  • Block or restrict network access to the IOPaint server, especially the endpoints /api/v1/media_file and /api/v1/media_thumbnail_file.
  • If feasible, stop the IOPaint service or run it without the --input parameter to disable the File Manager functionality.
  • Apply the suggested code fix by sanitizing and validating the filename parameter in the _get_file() method to prevent path traversal.

The fix involves resolving the base directory path, extracting only the filename component, verifying the resolved path remains within the base directory, checking file existence, and raising exceptions for invalid access.

Until a patched version is available, consider deploying web application firewalls (WAFs) or intrusion detection systems (IDS) to detect and block path traversal attempts.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to read arbitrary files on the server, including sensitive system files, application configuration files, cryptographic keys, source code, and user data.

This exposure of sensitive data could lead to non-compliance with common standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access.

Since the vulnerability enables unauthorized access to potentially sensitive user data without authentication or access controls, it increases the risk of data breaches and privacy violations, thereby impacting compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5258. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart