What is CVE-2026-28078?

A medium-severity path traversal vulnerability exists in the Stylemix uListing plugin. This flaw can potentially allow unauthorized file access. Organizations should prioritize remediation to mitigate risk.

What is the severity of CVE-2026-28078?

CVE-2026-28078 has a severity rating of MEDIUM with a CVSS base score of 4.9.

CVE-2026-28078 | Medium Vulnerability in Stylemix uListing

CVE-2026-28078 is classified as a medium severity vulnerability affecting the Stylemix uListing plugin. This vulnerability allows improper limitation of a pathname to a restricted directory, also known as a path traversal vulnerability. The affected versions of uListing are from n/a through version 2.2.0. Given its CVSS score of 4.9, this vulnerability poses a notable risk to organizations utilizing this plugin.

Risk to organizations includes potential unauthorized access to sensitive files on the server, which could lead to data exposure. Attackers can exploit this vulnerability through network access, and its low attack complexity enhances the risk, necessitating immediate attention from security teams.

Organizations should prioritize patching immediately. As of now, there is no public exploit confirmed for this vulnerability, but the exploitation status is deferred, indicating that it requires urgent consideration.

Given the potential impacts, organizations using the uListing plugin should remain vigilant and prepare to implement necessary updates or mitigations.

Vulnerability Details

The vulnerability is characterized as a path traversal issue, which allows attackers to access files outside the intended directory. The CVSS 3.1 score of 4.9 indicates a medium severity level, suggesting that while it is not the most critical, it still poses a significant risk.

The vulnerability impacts the Stylemix uListing plugin, with the last published version being 2.2.0, and was first disclosed on March 5, 2026. The CWE classification for this vulnerability is CWE-22.

Technical Analysis

The root cause of this vulnerability lies in the improper validation of user input, which allows attackers to manipulate file paths. The attack vector is network-based, and the attack complexity is classified as low, requiring high privileges but no user interaction.

The impacts include high confidentiality risk, as access to sensitive files can be obtained. There is no impact on integrity or availability, making this vulnerability primarily a confidentiality concern.

Risk & Impact Analysis

Organizations using the uListing plugin face real-world risks, particularly if sensitive data is stored on the server. The blast radius could extend across multiple user accounts if exploited, leading to widespread data exposure.

With an EPSS score indicating a low likelihood of exploitation, organizations should still remain proactive in addressing this vulnerability due to its potential impacts.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerability affects all versions of the uListing plugin up to and including 2.2.0. Organizations should ensure they are updated to the latest version to mitigate this risk.

Mitigation & Remediation

Organizations should prioritize updating to the latest version of the uListing plugin to remediate this vulnerability. If immediate patching is not possible, consider implementing network controls to restrict access to the affected components. Additionally, review and harden configurations to minimize exposure.

For further assistance, organizations may consider utilizing penetration testing services to identify potential vulnerabilities in their environment.

Detection Guidance

To detect potential exploitation attempts, organizations should monitor logs for indicators of abnormal file access patterns. Additionally, behavioral anomalies in file download requests should be flagged for further investigation.

AppSecure Threat Intelligence Insight

CVE-2026-28078 highlights the ongoing risk posed by path traversal vulnerabilities, which remain a common issue in web applications. The trend indicates a need for robust validation mechanisms in file handling processes to prevent such vulnerabilities.

Security teams should leverage this incident to bolster their security practices, ensuring regular updates and comprehensive security assessments are part of their operational procedures. For insights into improving security measures, organizations may find value in exploring our vulnerability management program and our penetration testing methodology resources.

By being proactive in addressing vulnerabilities like CVE-2026-28078, organizations can significantly reduce their risk exposure and enhance their overall security posture.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-28078: Medium Vulnerability in Stylemix uListing