CVE-2026-53906

MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter allows writing files to arbitrary locations as well as indirect disclosure of absolute server paths through error messages. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:mycomplianceoffice:mycomplianceoffice:25.3.3.1:*:*:*:*:*:*:*

History

06 Jul 2026, 14:22

Type Values Removed Values Added
CPE cpe:2.3:a:mycomplianceoffice:mycomplianceoffice:25.3.3.1:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.2
References () https://cert.pl/en/posts/2026/07/CVE-2026-53902 - () https://cert.pl/en/posts/2026/07/CVE-2026-53902 - Third Party Advisory
References () https://mco.mycomplianceoffice.com/ - () https://mco.mycomplianceoffice.com/ - Product
First Time Mycomplianceoffice mycomplianceoffice
Mycomplianceoffice

01 Jul 2026, 13:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-01 13:17

Updated : 2026-07-06 14:22


NVD link : CVE-2026-53906

Mitre link : CVE-2026-53906

CVE.ORG link : CVE-2026-53906


JSON object : View

Products Affected

mycomplianceoffice

  • mycomplianceoffice
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-209

Generation of Error Message Containing Sensitive Information