CVE-2026-1018 identifies an Absolute Path Traversal vulnerability (CWE-36) in the Gotac Police Statistics Database System, a software product used for managing police statistical data. The vulnerability allows unauthenticated remote attackers to exploit improper input validation mechanisms to perform arbitrary file reads on the underlying system. Specifically, attackers can manipulate file path inputs to traverse directories beyond the intended file access scope, thereby downloading sensitive system files. This flaw does not require any authentication or user interaction, significantly lowering the barrier for exploitation. The vulnerability has been assigned a CVSS 4.0 base score of 8.7, reflecting its high impact on confidentiality with no impact on integrity or availability. The vulnerability was published on January 16, 2026, and no patches or known exploits have been reported yet. The lack of authentication and the ability to read arbitrary files could expose sensitive police data, system configuration files, or credentials, potentially enabling further attacks or data leaks. The root cause is inadequate sanitization of user-supplied file path inputs, a common issue in web applications that handle file operations. Given the critical nature of police data, exploitation could severely compromise law enforcement operations and privacy protections.

For European organizations, particularly law enforcement agencies using the Gotac Police Statistics Database System, this vulnerability poses a significant risk to the confidentiality of sensitive data. Unauthorized access to police statistics and system files could lead to exposure of personal data, investigative details, or internal configurations, undermining public trust and operational security. The breach of sensitive files could also facilitate subsequent attacks, such as privilege escalation or lateral movement within networks. The impact extends beyond data confidentiality to potential legal and regulatory consequences under GDPR due to unauthorized data disclosure. Operational disruptions may occur if attackers leverage exposed information to sabotage or manipulate police systems. The vulnerability's remote and unauthenticated nature increases the likelihood of exploitation, especially if the system is accessible over public or poorly segmented networks. European organizations must consider the reputational damage and national security implications of such a breach.

Immediate mitigation should focus on applying vendor-provided patches once available. In the absence of patches, organizations should implement strict input validation on all file path parameters to prevent directory traversal sequences (e.g., '..' or absolute paths). Deploying Web Application Firewalls (WAFs) with rules designed to detect and block path traversal attempts can provide an additional protective layer. Network segmentation should be enforced to restrict access to the Police Statistics Database System only to trusted internal networks and authorized personnel. Regularly auditing file access logs and monitoring for unusual file read activities can help detect exploitation attempts early. Organizations should also conduct security assessments and penetration testing focused on path traversal vulnerabilities. Finally, ensuring that sensitive files and directories have appropriate access controls and are not accessible by the application user can limit the impact of successful exploitation.