CVE-2026-3795: DoraCMS Path Traversal Vulnerability

CVE-2026-3795 Overview

A path traversal vulnerability has been discovered in doramart DoraCMS 3.0.x. The vulnerability affects the createFileBypath function within the file /DoraCMS/server/app/router/api/v1.js. By manipulating input parameters, an attacker can perform path traversal attacks to access files and directories outside of the intended web root. This attack can be initiated remotely over the network, and a public exploit has been released, increasing the risk of active exploitation.

Critical Impact
Remote attackers can traverse directory paths to read, write, or manipulate files outside the designated application directory, potentially leading to sensitive data exposure, configuration tampering, or further system compromise.

Affected Products

Html-js DoraCMS 3.0.x
DoraCMS installations using the vulnerable createFileBypath function
Systems exposing the /DoraCMS/server/app/router/api/v1.js API endpoint

Discovery Timeline

2026-03-09 - CVE-2026-3795 published to NVD
2026-03-10 - Last updated in NVD database

Technical Details for CVE-2026-3795

Vulnerability Analysis

This path traversal vulnerability (CWE-22) exists in the createFileBypath function of DoraCMS. The vulnerability allows authenticated remote attackers to escape the intended file system boundaries by injecting directory traversal sequences (such as ../) into file path parameters. The function fails to properly sanitize or validate user-supplied input before constructing file system paths, enabling attackers to access arbitrary locations on the server.

The exploit has been publicly disclosed, and despite early contact with the vendor regarding this security issue, no response was received. This lack of vendor engagement increases the urgency for affected organizations to implement protective measures.

Root Cause

The root cause of this vulnerability is insufficient input validation in the createFileBypath function. The application does not properly sanitize file path inputs, allowing special characters and directory traversal sequences to be processed. This enables attackers to construct malicious paths that reference files and directories outside the application's intended scope.

Attack Vector

The attack can be executed remotely over the network by an authenticated user. The attacker sends a crafted request to the vulnerable API endpoint at /DoraCMS/server/app/router/api/v1.js, including path traversal sequences in the file path parameter. This allows navigation outside the web root directory to access sensitive system files, configuration data, or other protected resources.

The vulnerability is exploited by manipulating the file path parameter passed to the createFileBypath function. By including directory traversal sequences such as ../ or encoded variants, an attacker can escape the intended directory structure. For example, a request targeting /DoraCMS/server/app/router/api/v1.js with a crafted path parameter containing multiple parent directory references could access files like /etc/passwd or application configuration files. For detailed technical analysis, refer to the VulDB advisory.

Detection Methods for CVE-2026-3795

Indicators of Compromise

HTTP requests to /DoraCMS/server/app/router/api/v1.js containing path traversal sequences such as ../, ..%2f, or ..%5c
Unusual file access patterns in web server logs targeting sensitive system files
Access attempts to files outside the DoraCMS web root directory
Suspicious API calls to the createFileBypath function with encoded directory traversal payloads

Detection Strategies

Implement web application firewall (WAF) rules to detect and block path traversal patterns in request parameters
Monitor application logs for requests containing multiple consecutive ../ sequences or URL-encoded equivalents
Deploy file integrity monitoring on critical system files and DoraCMS configuration directories
Configure intrusion detection systems (IDS) to alert on path traversal attack signatures

Monitoring Recommendations

Enable verbose logging on the DoraCMS application to capture all API requests with full parameter details
Set up alerts for any access attempts to sensitive directories such as /etc/, /var/, or parent directories of the web root
Monitor for unusual file creation or modification events outside the DoraCMS content directory
Implement centralized log aggregation to correlate potential attack patterns across multiple systems

How to Mitigate CVE-2026-3795

Immediate Actions Required

Restrict network access to the DoraCMS administration interface and API endpoints using firewall rules
Implement strict input validation on all file path parameters at the application gateway or WAF level
Review and audit all recent file system access logs for signs of exploitation
Consider temporarily disabling the createFileBypath functionality if not critical to operations

Patch Information

At the time of publication, the vendor (doramart) has not responded to disclosure attempts and no official patch is available. Organizations should monitor the VulDB advisory and official DoraCMS repositories for security updates. Consider implementing compensating controls until a patch is released.

Workarounds

Deploy a web application firewall (WAF) with rules to block path traversal sequences in all incoming requests
Implement server-side input validation to reject file paths containing ../ or null bytes before processing
Use chroot jails or containerization to limit the file system scope accessible to the DoraCMS application
Apply the principle of least privilege to the DoraCMS service account, restricting file system permissions

bash

# Example nginx configuration to block path traversal attempts
location /DoraCMS/server/app/router/api/ {
    # Block requests containing path traversal sequences
    if ($request_uri ~* "\.\.") {
        return 403;
    }
    
    # Block URL-encoded path traversal attempts
    if ($request_uri ~* "%2e%2e") {
        return 403;
    }
    
    # Proceed with normal proxy handling
    proxy_pass http://doracms_backend;
}