CVE-2026-1186 is a path traversal vulnerability categorized under CWE-22 found in the EAP Legislator software developed by ABC PRO SP. Z O.O. The flaw exists in the file extraction functionality that processes zipx archives, the default file type used by the application. An attacker can create a specially crafted zipx archive containing file paths that traverse outside the intended extraction directory, such as system startup folders. When a victim opens this malicious archive, the application extracts files to arbitrary locations on the victim's system, potentially overwriting or adding files critical to system operation or security. This can lead to unauthorized file modification, privilege escalation, or persistence mechanisms. The vulnerability requires no privileges and no authentication but does require user interaction to open the malicious file. The CVSS 4.0 base score is 8.6, indicating high severity due to network attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on confidentiality and integrity. The issue was publicly disclosed and fixed in version 2.25a. No known exploits have been reported in the wild, but the potential impact warrants immediate attention. The vulnerability was assigned and published by CERT-PL, indicating awareness in the Polish cybersecurity community.

For European organizations, this vulnerability poses a significant risk especially to entities relying on EAP Legislator for legal, governmental, or administrative document processing. Successful exploitation can lead to arbitrary file writes outside designated directories, enabling attackers to overwrite critical system files, implant malware, or disrupt system startup processes. This compromises system integrity and availability, potentially causing operational downtime or unauthorized access. Confidentiality may also be impacted if sensitive files are overwritten or replaced. The requirement for user interaction means phishing or social engineering could be used to deliver the malicious archive. Given the software’s use in sensitive sectors, the impact on trust, regulatory compliance (e.g., GDPR), and operational continuity can be severe. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits post-disclosure.

1. Immediately upgrade all EAP Legislator installations to version 2.25a or later where the vulnerability is fixed. 2. Implement strict email and file filtering to block or quarantine zipx archives from untrusted sources. 3. Educate users on the risks of opening unsolicited or suspicious archive files, emphasizing verification of file origin. 4. Employ endpoint protection solutions capable of detecting anomalous file extraction behaviors or unauthorized file writes to critical directories. 5. Use application whitelisting to prevent unauthorized executables or scripts from running, especially those placed in startup folders. 6. Monitor system directories, particularly startup and system folders, for unexpected file changes or additions. 7. Consider sandboxing or opening archives in isolated environments before allowing extraction on production systems. 8. Maintain regular backups and ensure recovery procedures are tested to mitigate potential damage from exploitation.