CVE-2026-54065: NukeViet Path Traversal to Arbitrary File Deletion
A flaw in NukeViet's comment admin panel lets an authenticated administrator delete any file on the server, including the site's config file, by smuggling a path traversal sequence through the attach
The problem
The Edit Comment admin function in modules/comment/admin/edit.php accepted a raw user-supplied attach parameter without validating that it resolved to a path inside the uploads directory.
The code stripped a fixed-length URL prefix with substr(), but never checked whether the remaining value stayed within uploads/. When a comment was later deleted, del.php passed the stored value directly to nv_deletefile(), which only verified the resolved path was under NV_ROOTDIR, not under uploads/.
Any file accessible to the web server process could be permanently deleted.
Proof of concept
A working proof-of-concept for CVE-2026-54065 in nukeviet/nukeviet, with the exact payload below.
POST /admin/index.php?nv=comment&op=edit HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
Cookie: <admin_session>
comment_id=123&attach=aaaaaaaaaaaaaaaaaaaaaaaaaa../../config.php&<other_fields>The substr() call blindly removed the first N characters (the length of the upload URL prefix, e.g. 26 chars for /nukeviet/uploads/comment/). Padding the attach value with 26 arbitrary characters followed by ../../config.php caused the traversal sequence to survive stripping and be stored verbatim in the database.
On comment deletion, del.php fed that stored value to nv_deletefile(NV_UPLOADS_REAL_DIR . '/' . $module_upload . '/' . $row['attach']), which resolved to the application root. The function only checked realpath() landed inside NV_ROOTDIR, not inside the uploads subdirectory, so ../../config.php passed validation and was deleted.
The fix (4.6.00) added a nv_is_file() call before substr() runs. That function uses realpath() plus a regex to confirm the file physically lives inside NV_UPLOADS_DIR/comment/, rejecting any path that escapes it. If the check fails, attach is reset to an empty string before any processing occurs.
This maps to CWE-22 (Path Traversal).
The fix
Upgrade to NukeViet 4.6.00 or later. The patch adds nv_is_file($attach, NV_UPLOADS_DIR . '/' . $module_upload) validation in modules/comment/admin/edit.php before the substr() prefix strip. Any attach value that does not resolve to a real file inside the designated upload directory is discarded.
No workaround is available in older versions short of removing admin access to the Comment Edit function.
Related research
- high · 8.7CVE-2026-54064CVE-2026-54064: NukeViet CMS Multiple Anti-XSS Filter Bypasses Leading to Stored XSS
- high · 7.2CVE-2026-55372CVE-2026-55372: NukeViet Pre-auth SSRF via X-Forwarded-Host
- high · 8.2CVE-2026-48118CVE-2026-48118: NukeViet Unauthenticated Reflected XSS via Base64-Encoded Comment Status Parameter
- high · 8.7CVE-2026-49259CVE-2026-49259: NukeViet CMS Stored XSS via Comment Reply Handler