## https://sploitus.com/exploit?id=8D100509-2FC5-521A-8B87-5CDDF68DE547
# CVE-2026-21857: Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read
## Overview
| Field | Details |
|---|---|
| **CVE ID** | CVE-2026-21857 |
| **Vulnerability Type** | Path Traversal |
| **Severity** | HIGH |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
## Description
### Summary
Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality.
### Details
The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories.
An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive.
Vulnerable code:
- `redaxo/src/addons/backup/pag...
## Affected Products
- **redaxo/source** (versions: <= 5.20.1)
## CWE Classification
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-24: Path Traversal: '../filedir'
## References
- https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv
- https://github.com/redaxo/redaxo/releases/tag/5.20.2
- https://nvd.nist.gov/vuln/detail/CVE-2026-21857
- https://github.com/advisories/GHSA-824x-88xg-cwrv
## Disclaimer
This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.