Platform
other
Component
statistics-database-system
Fixed in
1.0.4
CVE-2026-1022 describes an Arbitrary File Access vulnerability discovered in the Statistics Database System developed by Gotac. This vulnerability allows unauthenticated remote attackers to exploit a Relative Path Traversal flaw, potentially leading to the exposure of sensitive system files. The vulnerability affects versions 0.0 through 1.0.3, and a patch is available in version 1.0.4.
The primary impact of CVE-2026-1022 is the potential for unauthorized access to sensitive system files. An attacker exploiting this vulnerability could download configuration files, source code, or other critical data stored on the server hosting the Statistics Database System. This could lead to further compromise, including data exfiltration, privilege escalation, or even complete system takeover. The lack of authentication required to exploit the vulnerability significantly broadens the attack surface, making it accessible to a wide range of malicious actors. Successful exploitation could reveal database credentials, API keys, or other secrets, enabling lateral movement within the network.
CVE-2026-1022 was publicly disclosed on 2026-01-16. There are currently no known public proof-of-concept exploits available, but the vulnerability's ease of exploitation (unauthenticated access, simple path traversal) suggests a medium probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The relative simplicity of the attack pattern makes it likely that automated scanners will identify and attempt to exploit this vulnerability.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-1022 is to immediately upgrade the Statistics Database System to version 1.0.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the affected endpoint through a Web Application Firewall (WAF) or proxy server. Configure the WAF to block requests containing path traversal sequences (e.g., '../'). Carefully review file permissions to ensure that sensitive files are not accessible to the web server user. Monitor system logs for suspicious activity, particularly attempts to access files outside of the intended directory.
Update the Statistics Database System to a version later than 1.0.3 to fix the arbitrary file read vulnerability. If updating is not possible, implement additional security measures to restrict access to sensitive files and validate user input to prevent directory traversal.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1022 is a HIGH severity vulnerability allowing unauthenticated attackers to read arbitrary files on a server running Statistics Database System due to a Relative Path Traversal flaw.
You are affected if you are running Statistics Database System versions 0.0 through 1.0.3. Upgrade to 1.0.4 to resolve the issue.
Upgrade to version 1.0.4 or later. As a temporary workaround, restrict access to the vulnerable endpoint using a WAF or proxy server.
While no public exploits are currently known, the vulnerability's simplicity suggests a medium probability of exploitation.
Refer to the Gotac website or relevant security mailing lists for the official advisory regarding CVE-2026-1022.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.