Critical Path Traversal (CVE‑2026‑26335) in Repetier‑Server 1.4.10 Exposes Arbitrary Files
What Happened — A newly disclosed CVE‑2026‑26335 allows unauthenticated attackers to perform directory‑traversal and local‑file‑inclusion (LFI) against Repetier‑Server versions ≤ 1.4.10. By sending specially‑crafted HTTP requests, an adversary can read any file readable by the service account, including Windows system files and the application’s SQLite database.
Why It Matters for TPRM —
- Critical (CVSS 9.8) remote code‑free exploit that can reveal credential stores, configuration secrets, and proprietary design data.
- Many manufacturers and prototyping labs host Repetier‑Server on‑premise, exposing internal networks if compromised.
- Third‑party risk assessments must account for the likelihood of data leakage and lateral movement from a compromised 3D‑printer management console.
Who Is Affected — Manufacturing & industrial prototyping firms, SaaS providers offering 3D‑printing services, and any organization that runs Repetier‑Server on Windows servers (including MSP‑managed environments).
Recommended Actions —
- Verify that no production instances run versions ≤ 1.4.10; upgrade immediately to the patched release (≥ 1.4.11).
- Apply network segmentation: restrict inbound access to the Repetier‑Server web UI to trusted IP ranges only.
- Conduct file‑integrity monitoring on the server’s installation directory and audit logs for anomalous LFI attempts.
Technical Notes — The exploit leverages a path‑traversal flaw in the views and base/connectionLost.php endpoints. The payload uses URL‑encoded backslashes (%5c) to climb the directory tree and retrieve arbitrary files (e.g., Windows\win.ini or ProgramData\Repetier-Server\database\user.sql). CVE‑2026‑26335 carries a CVSS 9.8 score (Critical), vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Confidentiality Impact: High. Source: https://www.exploit-db.com/exploits/52540