CVE-2026-21857: Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read

January 5, 2026 (updated January 8, 2026)

Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon’s file export functionality.

References

github.com/advisories/GHSA-824x-88xg-cwrv
github.com/redaxo/redaxo
github.com/redaxo/redaxo/releases/tag/5.20.2
github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv
nvd.nist.gov/vuln/detail/CVE-2026-21857

Code Behaviors & Features

Detect and mitigate CVE-2026-21857 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →