CVE-2026-48796

MEDIUMPre-NVD 5.35.3
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 5.3 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
5.3
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 5.3Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

CefSharp.Common: FolderSchemeHandlerFactory path boundary check can expose files outside the configured root folder

Summary

FolderSchemeHandlerFactory was intended to restrict served files to a configured rootFolder, but its path validation used a raw string prefix check. A request could escape to a sibling directory whose full path starts with the root folder path, allowing files outside the configured root to be served.

Details

In affected versions, FolderSchemeHandlerFactory canonicalized rootFolder, decoded the request path, combined it with the root, and then allowed the file when:

filePath.StartsWith(rootFolder, StringComparison.OrdinalIgnoreCase)

This does not enforce a directory boundary. For example, /tmp/app/www2/secret.txt starts with /tmp/app/www, but www2 is a sibling of www, not a child. The same issue applies on Windows, for example C:\app\www2\secret.txt starts with C:\app\www.

The affected code was reviewed at commit b5fef3bb4bc58798c95170078c41de92cfe9066e, assembly version 147.0.100.

PoC

Set rootFolder to a directory named www and create a sibling directory named www2:

/www/index.html
/www2/secret.txt

Register FolderSchemeHandlerFactory for /www, then request:

https://folderschemehandlerfactory.test/..%2fwww2/secret.txt

The request path is URL-decoded to ../www2/secret.txt, combined with /www, and canonicalized to:

/www2/secret.txt

Because /www2/secret.txt starts with /www as a string prefix, the affected check passes and secret.txt is served from outside rootFolder.

Expected vulnerable result: HTTP 200 with the contents of /www2/secret.txt.

Expected fixed result: 404 or equivalent not-found response because the resolved file is outside rootFolder.

Impact

Applications using FolderSchemeHandlerFactory for a custom scheme or registered HTTP/HTTPS scheme may expose local files outside the intended served directory. This is most relevant when sensitive sibling directories share the root path prefix, such as www/www2, public/public_backup, or static/static-secrets.

An attacker must be able to cause the embedded browser to request URLs handled by the affected scheme registration.

CVSS v3
5.3
EG Score
5.3(low)
EPSS
KEV
Not listed

Published

June 30, 2026

Last Modified

June 30, 2026

Vendor Advisories for CVE-2026-48796(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 7× in last 7d / 7× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 19:33 UTCEG score recompute
  2. 2026-07-05 19:31 UTCEG score recompute
  3. 2026-07-04 19:31 UTCEG score recompute
  4. 2026-07-03 19:30 UTCEG score recompute
  5. 2026-07-02 19:30 UTCEG score recompute
  6. 2026-07-01 19:30 UTCEG score recompute
  7. 2026-06-30 19:31 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-48796?
CVE-2026-48796 is a medium vulnerability published on June 30, 2026. CefSharp.Common: FolderSchemeHandlerFactory path boundary check can expose files outside the configured root folder Summary FolderSchemeHandlerFactory was intended to restrict served files to a configured rootFolder, but its path validation used a raw string prefix check. A request could escape to…
When was CVE-2026-48796 disclosed?
CVE-2026-48796 was first published in the National Vulnerability Database on June 30, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-48796?
CVE-2026-48796 has a CVSS v4.0 base score of 5.3 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-48796?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48796, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-48796

Explore →

Is Your Infrastructure Affected by CVE-2026-48796?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.