## https://sploitus.com/exploit?id=FAF4A621-EF5C-5980-AED9-2374875BEFF0
# CVE-2026-37066
Path traversal leading to Arbitrary File Read in /vfm-admin/index.php and /vfm-admin/ajax/streamvid.php in Veno File Manager Project 4.4.9 allows and authenticated attacker with super administrator role to disclose sensitive information via two specially crafted http requests (POST and GET) to the affected endpoints.
https://github.com/user-attachments/assets/79517c2c-049d-4ea8-b359-43244a9cbc5c