CVE-2026-10074
Arbitrary File Read via Relative Path Traversal in DreamMaker
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: TWCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| interinfo | dreammaker | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in DreamMaker developed by Interinfo and is an Arbitrary File Read issue. It allows privileged local attackers to exploit Relative Path Traversal, which means they can manipulate file paths to access and download arbitrary system files that they normally should not be able to read.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker with local privileged access can read sensitive system files by exploiting the path traversal flaw. This could lead to unauthorized disclosure of confidential information stored in system files, potentially compromising system security and privacy.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in DreamMaker allows privileged local attackers to exploit Relative Path Traversal to read arbitrary system files.
Since the vulnerability requires privileged local access, immediate mitigation steps include restricting local user privileges to trusted users only.
No specific patch or update information is provided in the resources for this CVE.
General best practices include monitoring and limiting local access, auditing file access logs for suspicious activity, and applying any vendor patches if available.