{"id":"CVE-2018-13864","details":"A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 (fixed in 2.6.16) when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests.","aliases":["GHSA-v4mq-p756-p4f5"],"modified":"2026-03-14T09:27:51.623073Z","published":"2018-07-17T12:29:00.230Z","references":[{"type":"ADVISORY","url":"https://www.playframework.com/security/vulnerability/CVE-2018-13864-PathTraversal"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/playframework/playframework","events":[{"introduced":"a461b485b30eb2ea2b48e2beaf79e41c7d8fd12d"},{"last_affected":"ccff2ec88a50f18485b57b13dba926eeed1a583d"}],"database_specific":{"versions":[{"introduced":"2.6.12"},{"last_affected":"2.6.15"}]}}],"versions":["2.6.12","2.6.13","2.6.14","2.6.15"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-13864.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}