KEVIntel
PRO Back to KEVs
7.5
CVSS
High

CVE-2017-10974

PUBLISHED

Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080. NOTE: this CVE is only about use of...

Exploited in the wild Remote Low complexity No user interaction
Vendor
Yaws
Product
Yaws
Published
Jul 07, 2017
EPSS
91.3% · 100% pctl

Automate this intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot sensor data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080. NOTE: this CVE is only about use of an initial /%5C sequence to defeat traversal protection mechanisms; the initial /%5C sequence was apparently not discussed in earlier research on this product.

nuclei_scanner

Weaknesses (CWE)

  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores

CVSS v3.0 7.5 High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2.0 5.0 Medium

AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitation status

Exploited in the wild

Recorded 2026-06-07 00:00:00 UTC · The Shadowserver (via CIRCL)

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
The Shadowserver (via CIRCL) First 2026-06-07 00:00 UTC

Scanner integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-10974.yaml Apr 25, 2025

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel