SINEC INS v<1.0 SP2 Update6 PT via /api/sftp/uploadFiles
CVE-2026-46747 Published on June 9, 2026
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application does not properly sanitize path input in the `GET /api/sftp/uploadFiles` endpoint used for directory listing. This allows path traversal through crafted input, enabling access to unintended file system locations.
Weakness Type
Path Traversal: '/dir/../filename'
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "/dir/../filename" sequences that can resolve to a location that is outside of that directory.
Products Associated with CVE-2026-46747
Want to know whenever a new CVE is published for Siemens Sinec Ins? stack.watch will email you.
Affected Versions
Siemens SINEC INS:- Before V1.0 SP2 Update 6 is affected.