CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53553

highCVSS 7.7covered by 1 sourcefirst seen 2026-07-07
Click here to jump to the Simplified Chinese version (点击跳转到简体中文版本) Goploy System Arbitrary File Read Vulnerability Basic Information - Vulnerability Name: Goploy Endpoints Arbitrary File Read via Path Traversal - Vulnerability Type: Path Traversal (CWE-22) / Arbitrary File Read - Affected Product: Goploy - Severity Level: High (CVSS V3 7.7) - Known Affected Versions: <=1.17.5 Vulnerability Description Goploy is an open-source automation deployment system. A severe path traversal vulnerability exists in its backend API endpoints, specifically /deploy/fileDiff (File Compare), when handling file paths provided by the client. The original logic of this endpoint is to read a local project file and compare it with a file on a remote target server. However, due to insufficient validation and sanitization of the filePath parameter, and the lack of security constraints on the final absolute file path, malicious paths containing ../ are directly executed within the system. This leads to a dual arbitrary file read issue: 1. Local Host File Read: os.ReadFile is tricked by the directory traversal payload to read any file via its absolute path on the Goploy local host (returned in the srcText field of the response body). 2. Remote Controlled Server File Read: Subsequently, the same payload is utilized via the SFTP protocol on the target server pointed to by the serverID. Influenced similarly by the directory traversal, it reads any file on the configured remote server (returned in the distText field of the response body). The threshold for exploiting this vulnerability is extremely low, and the conditions are very easily met. The system comes with a built-in member role upon default installation, which is granted the "File Compare" permission by default. This means that as long as a normal low-privileged user is added to the system, they inherently possess the basic privileges required to call the vulnerable endpoint. The only prerequisite for the attack is that at least one

⚡ Watch CVE-2026-53553

Get an email if CVE-2026-53553 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-53553

CVE.org record

Embed the live status

CVE-2026-53553 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53553 status](https://www.csirts.com/badge/CVE-2026-53553)](https://www.csirts.com/cve/CVE-2026-53553)