CVE-2023-5588
CVE-2023-5588 is a low-severity vulnerability in Kpherox Pleroma with a CVSS 3.x base score of 2.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-22.
Key facts
- Severity: Low (CVSS 3.x base score 2.6)
- CVSS v2: 1.4
- EPSS exploit prediction: 1% (43rd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-22
- Affected product: Kpherox Pleroma
- Published:
- Last modified:
Description
A vulnerability was found in kphrx pleroma. It has been classified as problematic. This affects the function Pleroma.Emoji.Pack of the file lib/pleroma/emoji/pack.ex. The manipulation of the argument name leads to path traversal. The complexity of an attack is rather high. The exploitability is told to be difficult. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named 2c795094535537a8607cc0d3b7f076a609636f40. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-242187.
Frequently asked questions
- What is CVE-2023-5588?
- A vulnerability was found in kphrx pleroma. It has been classified as problematic. This affects the function Pleroma.Emoji.Pack of the file lib/pleroma/emoji/pack.ex. The manipulation of the argument name leads to path traversal. The complexity of an attack is rather high. The exploitability is told to be difficult. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named 2c795094535537a8607cc0d3b7f076a609636f40. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-242187.
- How severe is CVE-2023-5588?
- CVE-2023-5588 has a CVSS 3.x base score of 2.6, rated low severity. It is exploitable over an adjacent network with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2023-5588 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (43rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-5588?
- CVE-2023-5588 affects Kpherox Pleroma. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-5588?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-5588 published?
- CVE-2023-5588 was published on 2023-10-15 and last updated on 2026-06-17.
References
- https://github.com/kphrx/pleroma/commit/2c795094535537a8607cc0d3b7f076a609636f40
- https://github.com/kphrx/pleroma/pull/197
- https://vuldb.com/?ctiid.242187
- https://vuldb.com/?id.242187
Affected products (1)
- cpe:2.3:a:kpherox:pleroma:-:*:*:*:*:*:*:*
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…