CVE-2026-6282

Summary

A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device.

Affected Software

VendorProductVersion RangeStatus
LenovoPersonal Cloud T2s0 < 5.5.6.t2s.3affected
LenovoPersonal Cloud T2Pro0 < 5.4.8.t2pro.2affected
LenovoPersonal Cloud X1s0 < 5.4.8.x1s.2affected
LenovoHome Storage Hub T200 < 5.5.8.t20.1affected
LenovoHome Storage Hub X200 < 5.4.4.x20.1affected
LenovoPersonal Cloud T10 <= 5.4.0.t1.6affected
LenovoPersonal Cloud A10 <= 5.4.2.a1.3affected
LenovoPersonal Cloud A1s0 <= 5.5.6.a1saffected
LenovoPersonal Cloud T20 <= 5.4.5.t2.2affected
LenovoPersonal Cloud X10 <= 5.4.7.x1.1affected

Weaknesses

  • CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References