CVE-2026-31216CRITICAL 9.1EPSS p31.8%

CVE-2026-31216CVE-2026-31216

Description

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send crafted requests with a user-controlled object_name path parameter to delete arbitrary files from the underlying MinIO storage system. Successful exploitation leads to data loss and denial of service.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS0.40% probability of exploitation · percentile 31.8% · 2026-06-18T12:00:27Z
Published2026-05-12
Last modified2026-05-26

Underlying weaknesses· 1

CWE-552

References

  1. https://github.com/ModelEngine-Group/nexent
  2. https://www.notion.so/CVE-2026-31216-35d1e139318881208297f0fbd8005f68

1

TypeTargetConfidenceTier
WeaknessFiles or Directories Accessible to External Partiescwe-5520%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-31215
CVE
CVE-2026-35077
CVE
CVE-2026-5027
CVE
CVE-2026-36726
CVE
CVE-2026-21628
CVE
CVE-2026-35076
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.