NukeViet, Path Traversal to Arbitrary File Deletion, CVE-2026-54065 (High) -DC-Jul2026-955

Listen to this Post

How CVE-2026-54065 Works

This vulnerability is a path traversal flaw that allows an authenticated administrator to delete arbitrary files within the NukeViet application root. The root cause is a two-stage process spanning two different scripts.

Stage 1: Injection (edit.php)

The vulnerability is introduced in modules/comment/admin/edit.php. When an administrator edits a comment, the `attach` parameter from the HTTP POST request is retrieved using `$nv_Request->get_string()` without any validation:

$attach = $nv_Request->get_string('attach', 'post', '', true);
if (!empty($attach)) {
$attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/'));
}

The `substr()` function strips a fixed number of characters equal to the length of the upload URL prefix (e.g., 26 characters for /nukeviet/uploads/comment/). By padding the payload with exactly 26 arbitrary characters followed by a path traversal sequence, an attacker can bypass this stripping and store a traversal path like `../../config.php` directly into the database.

Stage 2: Trigger (del.php)

When the comment is subsequently deleted, `del.php` reads the `attach` value from the database and passes it to nv_deletefile():

nv_deletefile(NV_UPLOADS_REAL_DIR . '/' . $module_upload . '/' . $row['attach']);

The `nv_deletefile()` function resolves the path via `realpath()` and only verifies that the result is within `NV_ROOTDIR` — it does not restrict deletion to the uploads directory. This allows the deletion of any file in the installation root, including config.php, which immediately triggers the application’s install wizard.

DailyCVE Form

| Field | Value |

|-|-|

| Platform | NukeViet CMS |

| Version | < 4.6.00 |

| Vulnerability | Path Traversal |

| Severity | High (8.7) |

| Date | 2026-07-13 |

| Prediction | Already patched (4.6.00) |

What Undercode Say: Analytics

The vulnerability manifests through a two-file attack chain. Below is the vulnerable code path and the fix implementation.

Vulnerable Code (edit.php – before fix):

$attach = $nv_Request->get_string('attach', 'post', '', true);
if (!empty($attach)) {
$attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/'));
}

Fixed Code (edit.php – after fix):

$attach = $nv_Request->get_string('attach', 'post', '');
if (!empty($attach) and nv_is_file($attach, NV_UPLOADS_DIR . '/' . $module_upload)) {
$attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/'));
} else {
$attach = '';
}

Fix Commit: `27ba63c32eea2782837b1464a930baf75f0b4d29`

Affected Component: `modules/comment/admin/edit.php`

Vulnerable Function: `nv_deletefile()` — resolves path via `realpath()` and only verifies result is within NV_ROOTDIR, with no restriction to the uploads directory

Exploit

Prerequisites:

  • Authenticated administrator access
  • Access to Admin → Comment Management

Steps to Reproduce:

  1. Log in as an administrator and navigate to Admin → Comment Management
  2. Select any comment and open the Edit form
  3. Intercept the POST request and set the `attach` parameter to:
    aaaaaaaaaaaaaaaaaaaaaaaaaa../../config.php
    

(26 padding characters + traversal path)

  1. Submit the request — the value `../../config.php` is now stored in the database
  2. Delete the comment — `config.php` is deleted from the application root
  3. The application immediately redirects to the install wizard, confirming the file has been removed

Protection

Official Fix: Upgrade to NukeViet 4.6.00 or later

Patch Details:

  • Added `nv_is_file()` validation before processing the `attach` value
  • The function uses `realpath()` and a regex check to ensure the file resolves to a path within the intended upload directory
  • Any traversal attempts are rejected and the `attach` value is set to an empty string

CVSS Vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H`

Impact

  • Arbitrary File Deletion: Any file readable by the web server process within `NV_ROOTDIR` can be permanently deleted
  • Full Application Outage: Deleting `config.php` causes a complete application failure and exposes the install wizard
  • Integrity Impact: High (critical configuration files can be destroyed)
  • Availability Impact: High (application becomes completely inoperable)
  • Scope: Changed — the vulnerable component impacts resources beyond its security scope

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top