What is GHSA-3fmq-xr93-jqc5?

GHSA-3fmq-xr93-jqc5 is a security advisory published by GitHub Security Advisories with Critical severity. Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through...

Which CVE IDs does GHSA-3fmq-xr93-jqc5 cover?

GHSA-3fmq-xr93-jqc5 covers the following CVE IDs: CVE-2026-9508. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

GHSA-3fmq-xr93-jqc5Critical

Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through...

Vendor

GitHub Security Advisories

Published

May 29, 2026

Last Modified

May 29, 2026

🔗 CVE IDs covered (1)

CVE-2026-9508 →

📋 Description

Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.

🔗 References (3)

https://nvd.nist.gov/vuln/detail/CVE-2026-9508
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-supremas-biostar
https://github.com/advisories/GHSA-3fmq-xr93-jqc5