HOMEVULNERABILITIESCVE-2026-6418
MEDIUM

CVE-2026-6418

CWE-36Published: May 5, 2026· Updated: May 7, 2026

4.6
CVSS v3.1
EPSS:0.03%probability of exploitation in 30 daysPercentile:9.4th

Official Description

An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization.

Due to a lack of proper path validation and sanitization, an authenticated user with administrative privileges can specify arbitrary file paths on the local file system. This allows for the enumeration of directory structures and the unauthorized reading of sensitive text-based configuration or system files.

When the synchronization process is triggered, the application attempts to parse the contents of the specified file, subsequently exposing the data within the application's account management interface. This vulnerability could lead to the disclosure of sensitive system information or configuration details, depending on the permissions of the service account under which the application is running.

NVD Source

Technical Analysis

CVE-2026-6418 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation requires high privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.High
User InteractionNone
ScopeX
Impact
Confidentiality
Integrity
Availability
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (1)

Quick Facts

CVE IDCVE-2026-6418
CVSS Score4.6 / 10
SeverityMEDIUM
WeaknessCWE-36
CISA KEVNo
EPSS (30d)0.03%
PublishedMay 5, 2026

Related CVEs (CWE-36)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-6418 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.