CVE-2026-31215CRITICAL 9.1EPSS p32.9%

CVE-2026-31215CVE-2026-31215

Description

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /{index_name}/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied path_or_url parameter. This allows unauthenticated remote attackers to send crafted requests that trigger the deletion of arbitrary documents from ElasticSearch indices and corresponding files from the MinIO storage system. Successful exploitation leads to data destruction and denial of service.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS0.41% probability of exploitation · percentile 32.9% · 2026-06-18T12:00:27Z
Published2026-05-12
Last modified2026-05-26

Underlying weaknesses· 1

CWE-552

References

  1. https://github.com/ModelEngine-Group/nexent
  2. https://www.notion.so/CVE-2026-31215-35d1e139318881f5946ed206d96e34d8

1

TypeTargetConfidenceTier
WeaknessFiles or Directories Accessible to External Partiescwe-5520%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-31216
CVE
CVE-2026-36726
CVE
CVE-2025-10916
CVE
CVE-2025-0105
CVE
CVE-2026-20253
CVE
CVE-2026-35077
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.