CVE-2026-6903

HIGH EPSS 25.3%

Published Apr 23, 20262mo ago · Modified Jun 17, 20261w ago

8.7 CVSS 4.0

High

Published Apr 23, 2026 2mo ago

Last Modified Jun 17, 2026 1w ago

Description

The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability to read arbitrary files on the host system that are accessible to the operating system user running the LabOne software. Additionally, the Web Server does not sufficiently restrict cross-origin requests, which could allow a remote attacker to trigger file access from a victim's browser by directing the victim to a malicious website. The vulnerability is only exploitable when the LabOne Web Server is running. Installations using only the LabOne APIs without starting the Web Server are not exposed.

CVSS Details

Base Score

8.7

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

25.3% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-22 Path Traversal Resource Mgmt

CWE-346

References 2

zhinst.com https://www.zhinst.com/support/download-center/
zhinst.com https://www.zhinst.com/support/security/2026/zi-sa-2026-001/

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.