8.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-21857

CVE-2026-21857: Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read

REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the EXPDIR POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing ../ sequences (or even absolute paths inside the document root) to include any readable file in the generated .tar.gz archive. Version 5.20.2 fixes this issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-21857

CVE-2026-21857:

8.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
redaxo/source	composer	<= 5.20.1	5.20.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a path traversal weakness in the backup creation functionality of the Redaxo Backup addon. The analysis of the provided security advisory and the associated patch confirms that the root cause is the lack of input validation on the EXPDIR POST parameter, which specifies the directories to be included in a file backup.

The investigation started by identifying the relevant code changes between the vulnerable version (<= 5.20.1) and the patched version (5.20.2). By comparing the git tags, a commit with the message "Backup: validate selected export dirs" was identified as the security patch.

The patch exclusively modifies the file redaxo/src/addons/backup/pages/export.php. This script is the entry point that handles the backup export request. It retrieves the EXPDIR parameter from the user's POST request. The patch introduces code to intersect the user-provided directories with an allowlist of valid directories, effectively sanitizing the input.

The advisory points out that the unsanitized input was being used in redaxo/src/addons/backup/lib/backup.php. An examination of the codebase reveals that export.php instantiates the rex_backup class and calls its doExport method, passing the unsanitized $EXPDIR array. The rex_backup::doExport function then iterates through the provided directory paths and adds them to the backup archive. It is within this function that the path traversal occurs, as it concatenates the user-provided path with the base directory without proper sanitization.

Therefore, while the patch is in export.php, the function that would appear in a runtime profile during exploitation is rex_backup::doExport, as it is the function that directly processes the malicious input and performs the vulnerable file operation.

Vulnerable functions

rex_backup::doExport

redaxo/src/addons/backup/lib/backup.php

The `doExport` function is responsible for creating a backup archive. It accepts an array of directory paths (`$dir`) to be included in the archive. The function constructs the full path to each directory by concatenating it with the base path using `rex_path::frontend($file)`. Before the patch, the input from the user was not validated in the calling script (`export.php`), allowing an attacker to provide path traversal sequences (e.g., `../`) in the `EXPDIR` POST parameter. This would cause the `doExport` function to include arbitrary files and directories from the filesystem in the backup archive, leading to the disclosure of sensitive information like configuration files containing credentials.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-21857: Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read

CVE-2026-21857:

8.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2026-21857: Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.3

8.3

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI