{"id":"CVE-2019-9889","details":"In Vanilla before 2.6.4, a flaw exists within the getSingleIndex function of the AddonManager class. The issue results in a require call using a crafted type value, leading to Directory Traversal with File Inclusion. An attacker can leverage this vulnerability to execute code under the context of the web server.","modified":"2026-04-10T04:21:01.410846Z","published":"2019-03-21T16:01:17.627Z","references":[{"type":"ADVISORY","url":"https://github.com/vanilla/vanilla/compare/b043ae8...9f12b22"},{"type":"ADVISORY","url":"https://github.com/vanilla/vanilla/pull/7840"},{"type":"EVIDENCE","url":"https://hackerone.com/reports/411140"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vanilla/vanilla","events":[{"introduced":"0"},{"fixed":"9f12b221c5287fef0a946a7d056ca414e1e0c8ca"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.6.4"}]}}],"versions":["Vanilla_2.6.1","Vanilla_2.6.3","list"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9889.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"}]}