216.73.216.133

CVE-2026-6903

· Published 23/04/2026 10:16 · Modified 24/04/2026 14:50

Labels: CVE-2026-6903 2026-04-23CVE-2026-6903CWE-22[email protected]

Essential information

Published
23/04/2026 10:16
Modified
24/04/2026 14:50
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability to read arbitrary files on the host system that are accessible to the operating system user running the LabOne software. Additionally, the Web Server does not sufficiently restrict cross-origin requests, which could allow a remote attacker to trigger file access from a victim's browser by directing the victim to a malicious website. The vulnerability is only exploitable when the LabOne Web Server is running. Installations using only the LabOne APIs without starting the Web Server are not exposed.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
labone / labone web server cpe:2.3:a:labone:labone_web_server:*:*:*:*:*:*:*:*

References