CVE-2026-35082

Local file inclusion vulnerability and deletion in ugw-logread method

CVSS 8.7 HIGHEPSS 0.5%CWE-22

In short

A remote user can read any file on the system because the ugw-logread method doesn't properly check what files it's allowed to access. This exposes sensitive data like passwords or configuration files.

Technical detail

The ugw-logread method lacks input validation on file path parameters, allowing path traversal attacks (CWE-22). An authenticated remote attacker can traverse directory structures to access arbitrary files on the system, resulting in unauthorized information disclosure.

Summary generated and translated by AI from the official description.

The ugw-logread method allows a remote attacker with user privileges to access arbitrary local files due to insufficient validation of user-supplied input.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

MBS · Double-A Profibus MBS · Double-A x-link MBS · Double-X CAN MBS · Double-X DALI MBS · Double-X KNX MBS · Double-X LON MBS · Double-X M-Bus MBS · Double-X PROFINET MBS · Double-X x-link MBS · Single-A MBS · Single-X MBS · Triple-X KNX+DALI MBS · Triple-X KNX+LON MBS · Triple-X KNX+M-Bus MBS · Triple-X PROFINET+DALI MBS · Triple-X PROFINET+KNX MBS · Triple-X PROFINET+LON MBS · Triple-X PROFINET+M-Bus

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.certvde.com/en/advisories/VDE-2026-039/