CVE-2026-0522

UNKNOWN 0.0

Local File Inclusion in the File Upload/Download Process

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file's path during its upload. When the file is subsequently downloaded, the file in the attacker controlled path is returned. Due to the application's ASP.NET architecture, this could potentially lead to remote code execution when the "web.config" file is obtained. Furthermore, the application resolves UNC paths which may enable NTLM-relaying attacks. This issue affects VertiGIS FM: 10.5.00119 (0d29d428).

CWE	CWE-610
Vendor	vertigis
Product	vertigis fm
Published	Apr 1, 2026
Last Updated	Apr 1, 2026

Stay Ahead of the Next One

Get instant alerts for vertigis vertigis fm

Be the first to know when new unknown vulnerabilities affecting vertigis vertigis fm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

VertiGIS / VertiGIS FM

0 < 10.11.363

References

NVD ↗ CVE.org ↗ EPSS Data ↗

redguard.ch: https://www.redguard.ch/blog/2026/04/01/advisory-vertigis-vertigisfm/ support.vertigis.com: https://support.vertigis.com/hc/en-us/articles/31214433137042-Security-Vulnerability-VertiGIS-FM

Credits

Benjamin Faller, Redguard AG David Wischnjak, Redguard AG