CVE-2026-2623 | Blossom up to 1.17.1 File Upload BLOSManager.java put path traversal

A vulnerability marked as critical has been reported in Blossom up to 1.17.1. This issue affects the function put of the file blossom-backend/common/common-iaas/src/main/java/com/blossom/common/iaas/blos/BLOSManager.java of the component File Upload. This manipulation causes path traversal.

This vulnerability appears as CVE-2026-2623. The attack may be initiated remotely. In addition, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.