CVE-2026-61343
LibreBooking path traversal
CVSS Score
7.2
EPSS Score
0.0%
EPSS Percentile
0th
LibreBooking's email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0.
| CWE | CWE-23 |
| Vendor | librebooking |
| Product | librebooking |
| Published | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for librebooking librebooking
Be the first to know when new high vulnerabilities affecting librebooking librebooking are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
LibreBooking / LibreBooking
0 < 5.1.0
References
github.com: https://github.com/LibreBooking/librebooking/pull/1456 github.com: https://github.com/LibreBooking/librebooking/releases/tag/v5.1.0 github.com: https://github.com/LibreBooking/librebooking/commit/cb9b7ad9da0243bd105809f6a4a8a6b9147c71ea raw.githubusercontent.com: https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-190-01.json cve.org: https://www.cve.org/CVERecord?id=CVE-2026-61343
Credits
Noah Magill