Scan free
MEDIUMCVE-2026-5638CVSS 5.3

CVE-2026-5638: Path Traversal in HerikLyma CPPWebFramework

Platform

cpp

Component

heriklyma-cppwebframework

Fixed in

3.0.1

3.1.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

A Path Traversal vulnerability has been identified in HerikLyma CPPWebFramework, affecting versions 3.0.0 through 3.1. This flaw allows attackers to potentially access sensitive files and directories on the server by manipulating processing. The vulnerability is remotely exploitable and a public exploit is available, highlighting the urgency of addressing this issue. The project maintainers have not yet responded to the reported issue.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-5638 allows an attacker to bypass access controls and read arbitrary files on the server hosting the HerikLyma CPPWebFramework application. This could include configuration files containing sensitive credentials, source code, or other confidential data. Depending on the server's configuration and the files accessible, the attacker could potentially gain further access to the underlying system or network. The availability of a public exploit significantly increases the risk of exploitation, as it lowers the barrier to entry for malicious actors.

Exploitation Context

This vulnerability is considered actively exploitable due to the public availability of a proof-of-concept. It has been added to the NVD database on 2026-04-06. The EPSS score is likely to be medium, reflecting the ease of exploitation and potential impact. There is no indication of active campaigns targeting this vulnerability at this time, but the public exploit makes it a high-priority target for opportunistic attackers.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.06% (20% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R5.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentheriklyma-cppwebframework
VendorHerikLyma
Affected rangeFixed in
3.0 – 3.03.0.1
3.1 – 3.13.1.1

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. EPSS updated
Unpatched — 48 days since disclosure

Mitigation and Workarounds

Due to the lack of a response from the project maintainers, immediate mitigation is crucial. While upgrading to a patched version is the ideal solution, it is currently unavailable. As a temporary workaround, implement strict input validation and sanitization on all user-supplied data used in file path construction. Configure a Web Application Firewall (WAF) to block requests containing suspicious path traversal patterns (e.g., '../'). Regularly monitor system logs for unusual file access attempts. After implementing these workarounds, verify their effectiveness by attempting to access restricted files using various path traversal payloads.

How to fix

It is recommended to contact the vendor (HerikLyma) to obtain an update or patch that resolves the path traversal vulnerability. Given that the vendor has not responded, it is suggested to avoid using this version until an official solution is published. Implementing additional security measures, such as strict user input validation, can mitigate the risk.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-5638 — Path Traversal in HerikLyma CPPWebFramework?

CVE-2026-5638 is a vulnerability in HerikLyma CPPWebFramework versions 3.0.0–3.1 that allows attackers to access unauthorized files by manipulating processing.

Am I affected by CVE-2026-5638 in HerikLyma CPPWebFramework?

You are affected if you are using HerikLyma CPPWebFramework versions 3.0.0–3.1 and have not yet implemented mitigation strategies.

How do I fix CVE-2026-5638 in HerikLyma CPPWebFramework?

Upgrade to a patched version when available. Until then, implement input validation, WAF rules, and monitor system logs.

Is CVE-2026-5638 being actively exploited?

Yes, a public exploit exists, making it likely that attackers are actively scanning for and exploiting vulnerable systems.

Where can I find the official HerikLyma CPPWebFramework advisory for CVE-2026-5638?

As of the current date, there is no official advisory from the project maintainers. Monitor the project's website and relevant security mailing lists for updates.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs