CRITICAL🇵🇱 Wersja polska

CVE-2026-2731

CVSS 10.0v4.0pub. 2026-02-19upd. 2026-04-15

Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8 (all) and 9 (<9.19.7 and <9.20.3) allows unauthenticated attackers to execute code via simple web requests

🤖 AI Analysis
How it works

The vulnerability results from a combination of path traversal vulnerability (CWE-22) with content injection capability in the JobRunnerBackground.aspx component. An attacker, without possessing any authentication credentials, can craft an HTTP request that traverses outside the allowed filesystem area and then inject and execute malicious server-side code. The entire attack requires no user interaction or special prerequisites.

Impact

An attacker gains the ability to execute arbitrary code remotely on the server (RCE), which in practice means full system takeover, data breach, and potential lateral movement within the internal network.

Mitigation & patch

DynamicWeb 9 must be immediately updated to version 9.19.7 or 9.20.3 (or newer). For DynamicWeb 8, patches available from the manufacturer should be applied according to references (https://doc.dynamicweb.dev/documentation/fundamentals/dw10release/security-reports.html). Until patches are applied, it is recommended to restrict access to the JobRunnerBackground.aspx endpoint at the firewall or web server rules level.

Who is affected

DynamicWeb 8 (all versions) and DynamicWeb 9 in versions below 9.19.7 and below 9.20.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path TraversalAuth Bypass
CWE
References