CVE-2026-21857
8.80.10%
Redaxo Backup Path Traversal: Archiving the Crown Jewels
Amit Schendel
Senior Security ResearcherJan 5, 2026·5 min read·12 visits
PoC Available
Executive Summary (TL;DR)
The Redaxo Backup Addon blindly trusted user input defining which directories to zip. Authenticated attackers can use directory traversal (`../`) in the `EXPDIR` parameter to force the server to archive and download sensitive files like `config.yml` (containing DB passwords) instead of the intended backup folders.
A critical Path Traversal vulnerability in the Redaxo CMS Backup Addon allows authenticated users to manipulate export parameters, enabling the extraction of sensitive system configuration files and database credentials.
Official Patches
Technical Appendix
CVSS Score
8.8/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HEPSS Probability
0.10%
Affected Systems
Redaxo CMS <= 5.20.1Redaxo Backup Addon <= 2.9.3
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Redaxo CMS Redaxo | <= 5.20.1 | 5.20.2 |
Backup Addon Redaxo | <= 2.9.3 | 2.9.4 |
| Attribute | Detail |
|---|---|
| CWE | CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) |
| CVSS v3.1 | 8.8 (High) |
| Attack Vector | Network |
| Privileges | Low (Backup Permission) |
| Impact | Confidentiality, Integrity, Availability |
| Exploit Status | PoC Available |
MITRE ATT&CK Mapping
CWE-22
Path Traversal
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Known Exploits & Detection
Vulnerability Timeline
Vulnerability discovered by Łukasz Rybak
2025-12-09
Official fix committed to repository
2026-01-05
Redaxo 5.20.2 released
2026-01-05
Advisory GHSA-824x-88xg-cwrv published
2026-01-05