An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18. An Unauthenticated Path Traversal vulnerability exists in the /public/loader.php file. The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.
CVE-2024-34470
Score elevated to 9.0 because EPSS predicts 94% probability of exploitation within the next 30 days (top 0.2% of all CVEs). NVD baseline CVSS 8.6 retained for reference. Confidence: see factors.
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 8.6
- EG Score
- 9.0(high)
- EPSS
- 93.1%
- KEV
- Not listed
Published
May 6, 2024
Last Modified
June 17, 2025
References (2)
- cve@mitrehttps://github.com/osvaldotenorio/CVE-2024-34470
- af854a3a-2127-422b-91ae-364da2661108https://github.com/osvaldotenorio/CVE-2024-34470
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 9× in last 7d / 39× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:26 UTCEPSS rescore
- 2026-07-11 08:26 UTCEPSS rescore
- 2026-07-09 19:09 UTCEPSS rescore
- 2026-07-08 15:14 UTCEPSS rescore
- 2026-07-08 15:13 UTCEPSS rescore
- 2026-07-07 13:45 UTCEPSS rescore
- 2026-07-06 16:26 UTCEPSS rescore
- 2026-07-06 02:22 UTCEPSS rescore
- 2026-07-06 02:22 UTCEPSS rescore
- 2026-07-05 02:29 UTCEPSS rescore
- 2026-07-04 06:30 UTCEPSS rescore
- 2026-07-01 15:05 UTCEPSS rescore
- 2026-06-30 23:21 UTCEPSS rescore
- 2026-06-30 23:21 UTCEPSS rescore
- 2026-06-28 14:06 UTCEPSS rescore
- 2026-06-28 14:06 UTCEPSS rescore
- 2026-06-28 04:55 UTCEPSS rescore
- 2026-06-28 04:55 UTCEPSS rescore
- 2026-06-27 03:07 UTCEPSS rescore
- 2026-06-27 03:07 UTCEPSS rescore
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-24 14:04 UTCEPSS rescore
- 2026-06-24 14:04 UTCEPSS rescore
- 2026-06-23 21:32 UTCEPSS rescore
- 2026-06-23 21:32 UTCEPSS rescore
Show 34 moreShow fewer
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-19 19:25 UTCEPSS rescore
- 2026-06-19 19:25 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-17 17:52 UTCEPSS rescore
- 2026-06-16 17:52 UTCEPSS rescore
- 2026-06-16 17:52 UTCEPSS rescore
- 2026-06-15 17:47 UTCEPSS rescore
- 2026-06-13 22:59 UTCEPSS rescore
- 2026-06-13 22:59 UTCEPSS rescore
- 2026-06-08 14:16 UTCEPSS rescore
- 2026-06-07 15:24 UTCEPSS rescore
- 2026-06-07 15:24 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-29 13:43 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-24 02:50 UTCEG score recompute
- 2026-05-24 02:50 UTCGHSA enrichment
Publicly available exploits
(5 references)Working exploit code is in the public domain (4 GitHub PoCs). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCth3gokul/CVE-2024-34470First seen Jun 23, 2024
CVE-2024-34470 : An Unauthenticated Path Traversal Vulnerability in HSC Mailinspector
Open source ↗ - GitHub PoCMr-r00t11/CVE-2024-34470First seen Jun 20, 2024
A critical vulnerability has been found in HSC Mailinspector up to version 5.2.18. This vulnerability affects an unknown functionality of the file /public/loader.php.
Open source ↗ - GitHub PoCCappricio-Securities/CVE-2024-34470First seen Jun 20, 2024
HSC Mailinspector 5.2.17-3 through 5.2.18 - Local File Inclusion
Open source ↗ - GitHub PoCbigb0x/CVE-2024-34470First seen Jun 19, 2024
POC and bulk scanner for CVE-2024-34470
Open source ↗ - Nucleihttp/cves/2024/CVE-2024-34470.yamlFirst seen Jan 1, 2024
HSC Mailinspector 5.2.17-3 through 5.2.18 - Local File Inclusion
Open source ↗
Frequently asked(5)
What is CVE-2024-34470?
When was CVE-2024-34470 disclosed?
Is CVE-2024-34470 actively exploited?
What is the CVSS score of CVE-2024-34470?
How do I remediate CVE-2024-34470?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2024-34470
Is Your Infrastructure Affected by CVE-2024-34470?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.