CVE-2026-3188 is a path traversal vulnerability identified in the feiyuchuixue sz-boot-parent software component, specifically affecting versions up to 1.3.2-beta. The vulnerability resides in the API endpoint /api/admin/common/download/templates, where the templateName parameter is not properly validated, allowing an attacker to manipulate it to traverse directories outside the intended scope. This can lead to unauthorized access to sensitive files on the server, potentially exposing configuration files, source code, or other critical data. The vulnerability can be exploited remotely without requiring authentication or user interaction, making it easier for attackers to leverage. The vendor responded by releasing version 1.3.3-beta, which includes path validity checks to prevent traversal attacks. The patch is identified by commit aefaabfd7527188bfba3c8c9eee17c316d094802. Although a public exploit exists, there are no confirmed reports of active exploitation in the wild at this time. The CVSS 4.0 base score is 5.3 (medium), reflecting the moderate impact on confidentiality and ease of exploitation without privileges. This vulnerability primarily threatens the confidentiality of data and could be a stepping stone for further attacks if sensitive files are accessed.

The primary impact of CVE-2026-3188 is unauthorized disclosure of sensitive information due to path traversal, which can compromise confidentiality. Attackers exploiting this flaw can read arbitrary files on the affected server, potentially exposing credentials, configuration files, or proprietary code. This can facilitate further attacks such as privilege escalation, lateral movement, or data exfiltration. Since the vulnerability requires no authentication and no user interaction, it poses a significant risk to exposed systems. Organizations relying on feiyuchuixue sz-boot-parent 1.3.2-beta or earlier in production environments may face data breaches or operational disruptions if exploited. The scope is limited to systems running the vulnerable version, but the availability of a public exploit increases the likelihood of opportunistic attacks. Although no active exploitation is reported, the presence of a public exploit necessitates urgent remediation to prevent potential compromise.

To mitigate CVE-2026-3188, organizations should immediately upgrade feiyuchuixue sz-boot-parent to version 1.3.3-beta or later, which contains the official patch implementing path validity checks. Until the upgrade can be applied, restrict access to the vulnerable API endpoint (/api/admin/common/download/templates) using network-level controls such as firewalls or API gateways to limit exposure to trusted IP addresses. Implement web application firewalls (WAFs) with custom rules to detect and block path traversal patterns in the templateName parameter. Conduct thorough code reviews and penetration testing to identify any similar path traversal issues in custom or integrated components. Monitor logs for suspicious access attempts targeting the vulnerable endpoint and establish alerting for anomalous file access patterns. Educate development teams on secure input validation practices to prevent similar vulnerabilities in future releases. Finally, maintain an inventory of affected software versions to ensure timely patch management.