CVE-2026-42213

UNKNOWN 0.0

SolidCAM-GPPL-IDE: Path traversal in `inc` directive enables file probing and NTLM-hash leak

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, the inc "filename" directive in GPPL postprocessor files is resolved by GpplDocumentLinkHandler into a clickable link (VS Code textDocument/documentLink). The handler accepted arbitrary paths — absolute, relative with parent-directory segments (..\..\..\), UNC (\\server\share\), and arbitrary subfolders — and called File.Exists on each to decide whether to render the link. Two distinct attack surfaces resulted: information disclosure via File.Exists probing and NTLM hash leak via UNC path probing. This issue has been patched in version 1.0.2.

CWE	CWE-22 CWE-200 CWE-295 CWE-918
Vendor	anzory
Product	solidcam-gppl-ide
Published	May 8, 2026

Stay Ahead of the Next One

Get instant alerts for anzory solidcam-gppl-ide

Be the first to know when new unknown vulnerabilities affecting anzory solidcam-gppl-ide are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

anzory / SolidCAM-GPPL-IDE

>= 1.0.0, < 1.0.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-xvpx-9p39-g62m github.com: https://github.com/anzory/SolidCAM-GPPL-IDE/commit/9d0ba808afd143ede448026a5dc681bfdc5c138d github.com: https://github.com/anzory/SolidCAM-GPPL-IDE/releases/tag/v1.0.2