Primary

Context

Bolo-Blog Bolo-Solo Path Traversal Vulnerability in ZIP File Handler

Vulnerability

A path traversal vulnerability has been identified in Bolo-Blog Bolo-Solo versions through 2.6.4. The issue arises in the ZIP File Handler component, specifically within the 'unpackFilteredZip' function of 'BackupService.java'. This vulnerability allows for arbitrary file writing by exploiting inadequate path validation in uploaded ZIP files, leading to potential remote code execution.

Impact

Exploitation of this vulnerability allows authenticated users to write arbitrary files on the server, potentially overwriting critical files or executing uploaded web shells, according to the vulnerability report.

Reproduction

To reproduce this vulnerability, upload a malicious ZIP file through the '/import/markdown' interface. The ZIP file should contain entries that include path traversal sequences, such as '../', to exploit the inadequate path validation during the extraction process. Once the ZIP file is uploaded, the traversed files will appear on the server.

Added: Feb 3, 2026, 9:20 PM

Updated: Feb 3, 2026, 9:20 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.8

exploitability

6.8

remediation

0.0

relevance

2.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.8

exploitability

6.8

remediation

0.0

relevance

2.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Bolo-Blog Bolo-Solo Path Traversal Vulnerability in ZIP File Handler

Vulnerability

Impact

Reproduction

Affected Products

bolo-blog bolo-solo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating