high · 8.7CVE-2026-54065Jul 13, 2026

CVE-2026-54065: NukeViet Path Traversal to Arbitrary File Deletion

Shubham Kandhare
Security Engagement Manager, SecureLayer7

A flaw in NukeViet's comment admin panel lets an authenticated administrator delete any file on the server, including the site's config file, by smuggling a path traversal sequence through the attach

Packagenukeviet/nukeviet
Ecosystemcomposer
Affected< 4.6.00
Fixed in4.6.00

The problem

The Edit Comment admin function in modules/comment/admin/edit.php accepted a raw user-supplied attach parameter without validating that it resolved to a path inside the uploads directory.

The code stripped a fixed-length URL prefix with substr(), but never checked whether the remaining value stayed within uploads/. When a comment was later deleted, del.php passed the stored value directly to nv_deletefile(), which only verified the resolved path was under NV_ROOTDIR, not under uploads/.

Any file accessible to the web server process could be permanently deleted.

Proof of concept

A working proof-of-concept for CVE-2026-54065 in nukeviet/nukeviet, with the exact payload below.

http
POST /admin/index.php?nv=comment&op=edit HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
Cookie: <admin_session>

comment_id=123&attach=aaaaaaaaaaaaaaaaaaaaaaaaaa../../config.php&<other_fields>

The substr() call blindly removed the first N characters (the length of the upload URL prefix, e.g. 26 chars for /nukeviet/uploads/comment/). Padding the attach value with 26 arbitrary characters followed by ../../config.php caused the traversal sequence to survive stripping and be stored verbatim in the database.

On comment deletion, del.php fed that stored value to nv_deletefile(NV_UPLOADS_REAL_DIR . '/' . $module_upload . '/' . $row['attach']), which resolved to the application root. The function only checked realpath() landed inside NV_ROOTDIR, not inside the uploads subdirectory, so ../../config.php passed validation and was deleted.

The fix (4.6.00) added a nv_is_file() call before substr() runs. That function uses realpath() plus a regex to confirm the file physically lives inside NV_UPLOADS_DIR/comment/, rejecting any path that escapes it. If the check fails, attach is reset to an empty string before any processing occurs.

This maps to CWE-22 (Path Traversal).

The fix

Upgrade to NukeViet 4.6.00 or later. The patch adds nv_is_file($attach, NV_UPLOADS_DIR . '/' . $module_upload) validation in modules/comment/admin/edit.php before the substr() prefix strip. Any attach value that does not resolve to a real file inside the designated upload directory is discarded.

No workaround is available in older versions short of removing admin access to the Comment Edit function.

Reporter not attributed.

References: [1][2]

Related research