CVE-2026-53915
is CVE-2026-53915real, exploitable, or a false positive? Here's the community verdict.
signals
public sources
High CVSS base score, but low real-world exploitation probability (EPSS). Likely less urgent than the score implies.
baseline read
auto · not a community verdict
Real, but low real-world risk
A genuine vulnerability on paper, but EPSS shows little real-world exploitation — the base score may overstate urgency. This is not the same as a false positive.
Based on CVSS · FIRST EPSS
Confirm or dispute →CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
In JetBrains GoLand before 2026.1.3 remote code execution was possible via untrusted project configuration
NVD only has a brief summary for this one. The community fills in the real-world detail below.
References
Published
Embed this verdict
[](https://www.truepositive.app/cve/CVE-2026-53915)<a href="https://www.truepositive.app/cve/CVE-2026-53915"><img src="https://www.truepositive.app/cve/CVE-2026-53915/badge.svg" alt="TruePositive verdict for CVE-2026-53915"></a>Live badge that updates automatically as the community verdict changes.
Community ground truth
Be the first practitioner to weigh in
So far this is only TruePositive's editorial baseline from public sources. Add your real-world verdict below — it becomes the signal the next person triaging this relies on.
🥇 The first 50 practitioners to contribute earn a Founding Contributor badge.
In your experience, is this finding real and exploitable?
0 verdictsNo account needed. Anonymous verdicts post as an unverified signal. Log in to make yours verified and earn reputation.
Field notes & remediation
Verdicts are the quick signal. Notes are the evidence and fixes behind them.
No notes yet. Be the first to share what you saw, or a fix that worked.
Add a field note or remediationoptional
Related CVEs
Same weakness: CWE-73.
- CVE-2024-43451MED 6.5KEVEPSS 82%
NTLM Hash Disclosure Spoofing Vulnerability
- CVE-2025-33053HIGH 8.8KEVEPSS 82%
External control of file name or path in Internet Shortcut Files allows an unauthorized attacker to execute code over a network.
- CVE-2025-24054MED 6.5KEVEPSS 59%
External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
- CVE-2026-47214HIGH 7.1
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.94.0, the HTML backend has unsafe URI and path handling. This vulnerability is fixed in 2.94.0.
- CVE-2025-71334CRIT 9.8Real · low riskEPSS 1%
Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are UUIDs or numbers in file handling operations. By supplying a path-traversal value (e.g., '../../../../../tmp') as the chatflow id, an unauthenticated attacker can use the /api/v1/chatflows endpoint (via addBase64FilesToStorage) to write arbitrary files, and the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints (via streamStorageFile) to read arbitrary files. Arbitrary file write may lead to remote code execution.
- CVE-2025-71338CRIT 10Real · low riskEPSS 1%
Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.