Skip to content

NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function

High severity GitHub Reviewed Published Jul 13, 2026 in nukeviet/nukeviet

Package

composer nukeviet/nukeviet (Composer)

Affected versions

< 4.6.00

Patched versions

4.6.00

Description

Summary

Path Traversal to Arbitrary File Deletion in the Edit Comment admin function. An authenticated administrator can delete arbitrary files within the application root (e.g., config.php) by injecting a crafted attach parameter, rendering the application inoperable.

Affected Component

modules/comment/admin/edit.php

Root Cause

In the vulnerable version, the attach parameter received via HTTP POST was not validated before being processed:

// Vulnerable code (before fix)
$attach = $nv_Request->get_string('attach', 'post', '', true);
if (!empty($attach)) {
    $attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/'));
}

substr() strips the first N characters (equal to the length of the upload URL prefix, e.g. 26 chars for /nukeviet/uploads/comment/). By padding the payload with exactly 26 arbitrary characters followed by a path traversal sequence, an attacker can store ../../<target> directly into the database.

When the comment is subsequently deleted, del.php reads attach from the database and calls:

nv_deletefile(NV_UPLOADS_REAL_DIR . '/' . $module_upload . '/' . $row['attach']);

nv_deletefile() resolves the path via realpath() and only verifies the result is within NV_ROOTDIR — it does not restrict deletion to the uploads directory — allowing deletion of any file in the installation root.

Steps to Reproduce

  1. Log in as an administrator and navigate to Admin → Comment Management.
  2. Select any comment and open the Edit form.
  3. Intercept the POST request and set the attach parameter to:
aaaaaaaaaaaaaaaaaaaaaaaaaa../../config.php

(26 padding characters + traversal path)

  1. Submit the request. The value ../../config.php is now stored in the database.
  2. Delete the comment. config.php is deleted from the application root.
  3. The application immediately redirects to the install wizard, confirming the file has been removed.

Impact

  • Any file readable by the web server process within NV_ROOTDIR can be permanently deleted.
  • Deleting config.php causes a full application outage and exposes the install wizard.

Severity

CVSS v3.1 Base Score: 8.7 (High)

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Metric Value
Attack Vector Network
Attack Complexity Low
Privileges Required High (Admin required)
User Interaction None
Scope Changed
Confidentiality None
Integrity High
Availability High

Fix

Added nv_is_file() validation before processing the attach value. This function uses realpath() and a regex check to ensure the file resolves to a path within the intended upload directory, rejecting any traversal attempts.

// Fixed code
$attach = $nv_Request->get_string('attach', 'post', '');
if (!empty($attach) and nv_is_file($attach, NV_UPLOADS_DIR . '/' . $module_upload)) {
    $attach = substr($attach, strlen(NV_BASE_SITEURL . NV_UPLOADS_DIR . '/' . $module_upload . '/'));
} else {
    $attach = '';
}

References

@hoaquynhtim99 hoaquynhtim99 published to nukeviet/nukeviet Jul 13, 2026
Published to the GitHub Advisory Database Jul 13, 2026
Reviewed Jul 13, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

EPSS score

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

CVE ID

CVE-2026-54065

GHSA ID

GHSA-c9xg-64p9-f2jj

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.