CVE-2026-11442
Received Received - Intake
Directory Traversal in Allegra exportReport

Publication date: 2026-06-13

Last updated on: 2026-06-13

Assigner: Zero Day Initiative

Description
Allegra exportReport Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Allegra. Authentication is required to exploit this vulnerability. The specific flaw exists within the exportReport method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the service account. Was ZDI-CAN-28208.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-13
Last Modified
2026-06-13
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-11442
EUVD
EUVD-2026-36633
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
allegra allegra 9.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11442 is a Directory Traversal and Information Disclosure vulnerability affecting Allegra products. It occurs in the exportReport method due to improper validation of user-supplied file paths before performing file operations.

This flaw allows remote attackers, who have authentication, to disclose sensitive information by accessing files outside the intended directory, leveraging the service account's permissions.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored on the affected Allegra installation.

Since the attacker can access files with the privileges of the service account, this could expose confidential data, potentially leading to data breaches or leakage of critical information.

Mitigation Strategies

To mitigate this vulnerability, you should update Allegra to version 9.0.0 or later, as this release includes fixes addressing the directory traversal and information disclosure issue in the exportReport method.

Since the vulnerability requires authentication to exploit, ensure that access controls and authentication mechanisms are properly enforced to limit exposure.

Compliance Impact

This vulnerability allows remote attackers to disclose sensitive information on affected Allegra installations by exploiting a directory traversal flaw in the exportReport method. Since it enables unauthorized disclosure of sensitive data, it could potentially impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access.

However, the vulnerability requires authentication to be exploited, which may mitigate some risk depending on the strength of access controls and monitoring in place.

Organizations using Allegra should apply the vendor's update (version 9.0.0) to address this issue and reduce the risk of sensitive data exposure, thereby helping maintain compliance with relevant standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11442. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart