CVE-2026-3795 Overview
A path traversal vulnerability has been discovered in doramart DoraCMS 3.0.x. The vulnerability affects the createFileBypath function within the file /DoraCMS/server/app/router/api/v1.js. By manipulating input parameters, an attacker can perform path traversal attacks to access files and directories outside of the intended web root. This attack can be initiated remotely over the network, and a public exploit has been released, increasing the risk of active exploitation.
Critical Impact
Remote attackers can traverse directory paths to read, write, or manipulate files outside the designated application directory, potentially leading to sensitive data exposure, configuration tampering, or further system compromise.
Affected Products
- Html-js DoraCMS 3.0.x
- DoraCMS installations using the vulnerable createFileBypath function
- Systems exposing the /DoraCMS/server/app/router/api/v1.js API endpoint
Discovery Timeline
- 2026-03-09 - CVE-2026-3795 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-3795
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in the createFileBypath function of DoraCMS. The vulnerability allows authenticated remote attackers to escape the intended file system boundaries by injecting directory traversal sequences (such as ../) into file path parameters. The function fails to properly sanitize or validate user-supplied input before constructing file system paths, enabling attackers to access arbitrary locations on the server.
The exploit has been publicly disclosed, and despite early contact with the vendor regarding this security issue, no response was received. This lack of vendor engagement increases the urgency for affected organizations to implement protective measures.
Root Cause
The root cause of this vulnerability is insufficient input validation in the createFileBypath function. The application does not properly sanitize file path inputs, allowing special characters and directory traversal sequences to be processed. This enables attackers to construct malicious paths that reference files and directories outside the application's intended scope.
Attack Vector
The attack can be executed remotely over the network by an authenticated user. The attacker sends a crafted request to the vulnerable API endpoint at /DoraCMS/server/app/router/api/v1.js, including path traversal sequences in the file path parameter. This allows navigation outside the web root directory to access sensitive system files, configuration data, or other protected resources.
The vulnerability is exploited by manipulating the file path parameter passed to the createFileBypath function. By including directory traversal sequences such as ../ or encoded variants, an attacker can escape the intended directory structure. For example, a request targeting /DoraCMS/server/app/router/api/v1.js with a crafted path parameter containing multiple parent directory references could access files like /etc/passwd or application configuration files. For detailed technical analysis, refer to the VulDB advisory.
Detection Methods for CVE-2026-3795
Indicators of Compromise
- HTTP requests to /DoraCMS/server/app/router/api/v1.js containing path traversal sequences such as ../, ..%2f, or ..%5c
- Unusual file access patterns in web server logs targeting sensitive system files
- Access attempts to files outside the DoraCMS web root directory
- Suspicious API calls to the createFileBypath function with encoded directory traversal payloads
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in request parameters
- Monitor application logs for requests containing multiple consecutive ../ sequences or URL-encoded equivalents
- Deploy file integrity monitoring on critical system files and DoraCMS configuration directories
- Configure intrusion detection systems (IDS) to alert on path traversal attack signatures
Monitoring Recommendations
- Enable verbose logging on the DoraCMS application to capture all API requests with full parameter details
- Set up alerts for any access attempts to sensitive directories such as /etc/, /var/, or parent directories of the web root
- Monitor for unusual file creation or modification events outside the DoraCMS content directory
- Implement centralized log aggregation to correlate potential attack patterns across multiple systems
How to Mitigate CVE-2026-3795
Immediate Actions Required
- Restrict network access to the DoraCMS administration interface and API endpoints using firewall rules
- Implement strict input validation on all file path parameters at the application gateway or WAF level
- Review and audit all recent file system access logs for signs of exploitation
- Consider temporarily disabling the createFileBypath functionality if not critical to operations
Patch Information
At the time of publication, the vendor (doramart) has not responded to disclosure attempts and no official patch is available. Organizations should monitor the VulDB advisory and official DoraCMS repositories for security updates. Consider implementing compensating controls until a patch is released.
Workarounds
- Deploy a web application firewall (WAF) with rules to block path traversal sequences in all incoming requests
- Implement server-side input validation to reject file paths containing ../ or null bytes before processing
- Use chroot jails or containerization to limit the file system scope accessible to the DoraCMS application
- Apply the principle of least privilege to the DoraCMS service account, restricting file system permissions
# Example nginx configuration to block path traversal attempts
location /DoraCMS/server/app/router/api/ {
# Block requests containing path traversal sequences
if ($request_uri ~* "\.\.") {
return 403;
}
# Block URL-encoded path traversal attempts
if ($request_uri ~* "%2e%2e") {
return 403;
}
# Proceed with normal proxy handling
proxy_pass http://doracms_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
