CVE-2026-7185
Received Received - Intake

Path Traversal Vulnerability in TAO 2.0 Suite

Vulnerability report for CVE-2026-7185, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description

A validation vulnerability has been identified in certain web features related to file management or upload in several products of the TAO 2.0 suite. This vulnerability could allow an attacker capable of interacting with the affected feature to attempt to access file system resources outside the scope intended by the application.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
tao archivo to 2602.00 (exc)
tao mytao to 2602.00 (exc)
tao estima to 2602.00 (exc)
tao buroweb to 2602.00 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-7185 is a medium-severity validation vulnerability found in certain web features related to file management or upload in several products of the TAO 2.0 suite, including Archivo, MyTAO, eStima, and Buroweb. This flaw allows an attacker who can interact with the affected feature to attempt to access file system resources outside the intended scope of the application.

Impact Analysis

This vulnerability could allow an attacker to access files or resources on the system that should be restricted, potentially exposing sensitive data or system files. Exploitation does not require authentication but does require user interaction, which means an attacker could trick a user into triggering the vulnerability. This unauthorized access could lead to data breaches or compromise of system integrity.

Mitigation Strategies

To mitigate CVE-2026-7185, users should update all affected TAO 2.0 suite products, including Archivo, MyTAO, eStima, and Buroweb, to version 2602.0.0 or later.

This update fixes the validation vulnerability in web features related to file management or upload that could allow unauthorized access to file system resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7185. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart