CVE-2026-61343
Received Received - Intake

Arbitrary File Write in LibreBooking Email Template Editor

Vulnerability report for CVE-2026-61343, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description

LibreBooking's email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
librebooking librebooking 5.1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability involves a path traversal issue in the LibreBooking email template editor that allows an authenticated administrator to write arbitrary files outside the intended template directory by submitting malicious template names containing sequences like "..", "/", or "\".

Detection can focus on monitoring for suspicious file write operations or template save actions that include path traversal sequences or unexpected file extensions.

Suggested commands to detect potential exploitation attempts include:

  • On the server, search for recently modified or created template files with suspicious names or locations outside the normal template directory, for example:
  • find /path/to/librebooking/templates -type f \( -name "*..*" -o -name "*\/*" -o -name "*\\*" \) -ls
  • Check web-accessible directories for unexpected PHP files that could have been uploaded via this vulnerability:
  • find /path/to/webroot -type f -name "*.php" -mtime -7 -ls
  • Review application logs for template save actions performed by administrator accounts that include suspicious template names containing path traversal sequences.

Because the vulnerability requires administrator credentials, monitoring admin activity logs for unusual template save operations is critical.

Mitigation Strategies

The primary mitigation is to upgrade LibreBooking to version 5.1.0 or later, where this vulnerability has been fixed by enforcing strict validation on template names during save operations.

The fix includes a shared validation function that rejects template names containing path traversal sequences, control characters, or incorrect file extensions, preventing arbitrary file writes outside the template directory.

Until the upgrade can be applied, restrict administrator access to trusted users only, and monitor for suspicious template save activities.

Additionally, review and harden file system permissions to prevent unauthorized file writes outside the template directory.

Implement defense-in-depth measures such as web server restrictions to prevent execution of unexpected PHP files in web-accessible directories.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-61343 is a path traversal vulnerability in LibreBooking's email template editor. The save action for email templates does not properly validate the submitted template name, allowing an authenticated administrator to write arbitrary files outside the intended template directory.

This flaw enables an attacker with administrator credentials to craft a malicious template name containing path traversal sequences (such as "../") and save files in unintended locations, including web-accessible directories.

By doing so, the attacker could upload a PHP file and execute arbitrary code remotely on the server.

The vulnerability was fixed in version 5.1.0 by introducing a shared validation function that enforces strict rules on template names, rejecting invalid names containing path traversal sequences or improper extensions.

Impact Analysis

If exploited, this vulnerability allows an attacker with administrator access to write arbitrary files outside the designated template directory.

This can lead to remote code execution by placing malicious PHP files in web-accessible locations, potentially compromising the entire server.

Such an attack could result in unauthorized control over the affected system, data breaches, service disruption, and further exploitation of the network.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61343. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart