CVE-2026-7185
Received
Received - Intake
Path Traversal Vulnerability in TAO 2.0 Suite
Vulnerability report for CVE-2026-7185, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-06
Last updated on: 2026-07-06
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
A validation vulnerability has been identified in certain web features related to file management or upload in several products of the TAO 2.0 suite. This vulnerability could allow an attacker capable of interacting with the affected feature to attempt to access file system resources outside the scope intended by the application.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tao | archivo | to 2602.00 (exc) |
| tao | mytao | to 2602.00 (exc) |
| tao | estima | to 2602.00 (exc) |
| tao | buroweb | to 2602.00 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |