Vulnerability Details CVE-2026-31216
The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/{object_name:path} endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send crafted requests with a user-controlled object_name path parameter to delete arbitrary files from the underlying MinIO storage system. Successful exploitation leads to data loss and denial of service.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 54.8%
CVSS Severity
CVSS v3 Score 9.1
References