The filesystem storage backend in Radicale before 1.1 on Windows allows remote attackers to read or write to arbitrary files via a crafted path, as demonstrated by /c:/file/ignore.
Loading...
Loading...
This critical-severity CVE scores 10.0 under NVD CVSS v3. EPSS exploit probability: 1.3%, top 20% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
The filesystem storage backend in Radicale before 1.1 on Windows allows remote attackers to read or write to arbitrary files via a crafted path, as demonstrated by /c:/file/ignore.
February 3, 2016
May 6, 2026
Fix landed in Unrud/Radicale commit b4b3d51f33c7 — awaiting tagged release
https://github.com/Unrud/Radicale/commit/b4b3d51f33c7623d312f289252dd7bbb8f58bbe6Fix merged in Kozea/Radicale PR #343 on 2015-12-24 — awaiting tagged release
https://github.com/Kozea/Radicale/pull/343| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| radicale | 0.10 ... 1.0.1 (18 versions) | 1.1 | — |
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
See which npm, PyPI, Go, and Maven packages are affected by CVE-2016-1505
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.