CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49244

mediumCVSS 5.9covered by 1 sourcefirst seen 2026-07-02
Summary The public web-client endpoint for partial ZIP downloads of a browsable share did not correctly confine the client-supplied files entries to the shared directory. A requester able to reach a public share could read files located outside the shared directory, as long as the target's canonical path begins with the shared directory's name. Patches Fixed in v2.7.3. The fix replaces the raw prefix check with a directory-boundary–aware check.

⚡ Watch CVE-2026-49244

Get an email if CVE-2026-49244 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-49244

CVE.org record

Embed the live status

CVE-2026-49244 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49244 status](https://www.csirts.com/badge/CVE-2026-49244)](https://www.csirts.com/cve/CVE-2026-49244)