CVE-2026-41412

MEDIUM NVD

CVSS Score 4.9

Severity MEDIUM

Published Jun 02, 2026

Vendor unknown

Description

alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, the alf.io extension sandbox injects a fully-functional HTTP client (`simpleHttpClient`) into every extension script's scope. The `postFileAndSaveResponse()` method accepts an arbitrary filesystem path as its `file` parameter and reads the file contents using `new FileInputStream(file)` with no path validation, directory restriction, or allowlist. A malicious extension script can read any file accessible to the JVM process user and exfiltrate it to an attacker-controlled server via HTTP POST. Version 2.0-M5-2606 patches the issue.

References

https://github.com/alfio-event/alf.io/security/advisories/GHSA-6m62-53cw-4373