File Path Injection Vulnerability in PaperCut MF for Enhanced Account Synchronization
CVE-2026-6418

4.6MEDIUM

Key Information:

Vendor: Papercut
Status: Papercut Ng/mf
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-6418?

A vulnerability in the Shared Account Synchronization component of PaperCut MF version 25.0.4 allows authenticated administrative users to specify unvalidated file paths in the application. This lack of proper validation can lead to directory enumeration and unauthorized access to sensitive configuration or system files. When the synchronization process is initiated, the application may expose critical data through its account management interface, potentially revealing sensitive information depending on the permissions granted to its service account. This could pose serious risks to system integrity and confidentiality.

Affected Version(s)

PaperCut NG/MF 0 < 25.0.11

References

https://www.papercut.com/kb/Main/papercut-ng-mf-and-paper...

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-6418 Data

JSON

Papercut

What is CVE-2026-6418?

Affected Version(s)

References

CVSS V4

Timeline