{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29597", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T18:21:08.671Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-30T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T15:21:28.621Z"}, "descriptions": [{"lang": "en", "value": "Incorrect access control in the file_details.asp endpoint of DDSN Interactive Acora CMS v10.7.1 allows attackers with editor privileges to access sensitive files via crafted requests."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://ddsn.com"}, {"url": "http://acora.com"}, {"url": "https://github.com/padayali-JD/CVE-2026-29597"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T18:20:32.685189Z", "id": "CVE-2026-29597", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:21:08.671Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29597", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T18:20:32.685189Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:18:22.323Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://ddsn.com"}, {"url": "http://acora.com"}, {"url": "https://github.com/padayali-JD/CVE-2026-29597"}], "descriptions": [{"lang": "en", "value": "Incorrect access control in the file_details.asp endpoint of DDSN Interactive Acora CMS v10.7.1 allows attackers with editor privileges to access sensitive files via crafted requests."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T15:21:28.621Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29597", "state": "PUBLISHED", "dateUpdated": "2026-03-30T18:21:08.671Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-30T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect access control in the file_details.asp endpoint of DDSN Interactive Acora CMS v10.7.1 allows attackers with editor privileges to access sensitive files via crafted requests."}], "id": "CVE-2026-29597", "lastModified": "2026-03-30T19:16:23.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-30T16:16:04.310", "references": [{"source": "cve@mitre.org", "url": "http://acora.com"}, {"source": "cve@mitre.org", "url": "http://ddsn.com"}, {"source": "cve@mitre.org", "url": "https://github.com/padayali-JD/CVE-2026-29597"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-30T20:26:34.772099+00:00", "value": {"mitigation_remediation": ["Update Acora CMS to the most recent patch that restricts file access via file_details.asp.", "If a patch is unavailable, remove or downgrade the editor role or block editor users from accessing the file_details.asp endpoint.", "Configure a web\u2011application firewall to deny requests that contain suspicious or non\u2011standard file path parameters.", "Regularly monitor web server logs for unexpected requests to file_details.asp and investigate any anomalies."], "summary": {"action": "Apply Patch", "impact": "Sensitive file exposure"}, "threat_synthesis": {"affected_systems": "The affected product is DDSN Interactive Acora CMS version 10.7.1. No other vendor or product variants are listed in the CVE record.", "description_and_impact": "This vulnerability arises from incorrect access control on the file_details.asp endpoint of Acora CMS. An attacker who has been granted editor privileges can construct special requests that cause the server to return any file located on its filesystem. The result is that confidential or sensitive content can be read by the attacker, representing an information\u2011disclosure issue classified as CWE-284.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity level, while the EPSS score is not available and the vulnerability is not cataloged on CISA\u2019s KEV list. Attackers only need to possess editor access, a role that is often delegated to non\u2011administrative users. The exploit requires only a crafted HTTP request and can be performed remotely. The lack of a higher level of authentication or additional verification makes exploitation straightforward once editor access is achieved."}}}}, "created": "2026-03-30T20:56:27.815447+00:00", "title": "Acora CMS v10.7.1 Improper Access Control Exposes Sensitive Files", "updated": "2026-03-30T20:56:27.815487+00:00", "vendors": []}