CVE-2026-2753 is a high-severity Absolute Path Traversal vulnerability (CWE-36) affecting Navtor NavBox version 4.12.0.3. NavBox exposes an HTTP service that improperly sanitizes user-supplied path inputs, allowing attackers to craft requests containing absolute filesystem paths. Because the application fails to validate or restrict these inputs, an unauthenticated remote attacker can retrieve arbitrary files from the underlying filesystem. The extent of file access is limited only by the permissions of the NavBox service process, which may include sensitive configuration files, credentials, or system information. This vulnerability does not require authentication or user interaction, increasing its risk. The CVSS 3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact with no integrity or availability impact. No patches or exploit code are currently publicly available, but the vulnerability is publicly disclosed and should be addressed promptly. The flaw stems from insufficient input validation on the HTTP service's path parameters, a common security oversight in web-facing applications. Given NavBox’s role in maritime navigation and fleet management, exposure of configuration or operational data could have operational and safety implications.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive files on systems running NavBox 4.12.0.3. Attackers can access configuration files, credentials, or other sensitive data, potentially enabling further attacks such as credential theft, lateral movement, or operational disruption. For organizations relying on NavBox for maritime navigation and fleet management, this could lead to compromised operational security, exposure of proprietary or safety-critical information, and regulatory compliance issues. Since the vulnerability is remotely exploitable without authentication, it significantly increases the attack surface and risk of widespread exploitation. Although no integrity or availability impact is indicated, the confidentiality breach alone can have severe consequences, especially in sectors where NavBox is deployed, such as shipping companies, maritime logistics providers, and port authorities. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits following public disclosure.

1. Immediate mitigation involves restricting network access to the NavBox HTTP service to trusted networks only, using firewalls or network segmentation to limit exposure. 2. Monitor and log HTTP requests to detect suspicious path traversal attempts, focusing on requests containing absolute filesystem paths. 3. If possible, deploy a Web Application Firewall (WAF) with rules to block path traversal patterns targeting NavBox. 4. Contact Navtor for official patches or updates addressing this vulnerability; prioritize applying any released patches promptly. 5. If patches are unavailable, consider temporary workarounds such as running NavBox with least privilege, ensuring the service process has minimal filesystem permissions to limit data exposure. 6. Conduct a thorough audit of sensitive files accessible to the NavBox service and relocate or protect critical files where feasible. 7. Educate IT and security teams about this vulnerability to increase awareness and readiness to respond to potential exploitation attempts. 8. Regularly review and update access controls and network configurations to minimize exposure of critical systems.