CVE-2026-11345

MEDIUM

CVSS v4.0: 6.9 · EPSS: 0.0013 (33.0 percentile)

NetworkNo privilegesNo user interactionImproper AuthenticationVendor advisory ref

Source data as of:

At a glance

Severity
MEDIUM
CVSS
6.9 v4.0 · NVD
EPSS
0.0013 (33.0 percentile) · FIRST.org
CISA KEV
No
Type
Improper Authentication · NVD CWE
Attack conditions (CVSS vector)
NetworkNo privilegesNo user interaction · Source: NVD Vector
Published
2026-06-05 · Modified: 2026-06-05
References
Jump to references (1)

CVSS / EPSS / KEV

CVSS v4.0 6.9 / 10 MEDIUM Source: NVD
EPSS 0.0013 33.0 percentile Source: FIRST.org
CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

An Improper Authentication vulnerability in the /api/Cdn/GetFile endpoint of linqi allows unauthenticated, remote attackers to bypass file access controls. The ValidateAnonFileAccess function incorrectly grants access if an 'AnonFile' query parameter containing exactly 256 characters is provided. While this flaw allows bypassing the intended authorization check, the actual security impact is negligible; the exposed resources are strictly limited to minified JavaScript and CSS files that contain no sensitive data and are already publicly accessible via a standard CDN.

Record details

CVE ID
CVE-2026-11345
CVSS (v4.0)
6.9 (MEDIUM)
Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS
0.0013 (33.0 percentile) — 2026-06-06
CISA KEV
No
Weakness (CWE)
CWE-287
Affected configurations (CPE)
0
Published
2026-06-05
Modified
2026-06-05
Status
Deferred

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.

Related records

Other records sharing a factual facet, for cross-reference. A descriptive neighbourhood — ordering does not imply priority and is not a recommendation.

Same weakness type (CWE)

CVE-2026-46389 CRITICAL CVSS 10.0 CVE-2026-6274 CRITICAL CVSS 9.8 CVE-2026-34873 CRITICAL CVSS 9.1 CVE-2017-14032 HIGH CVSS 8.1

Published the same year

CVE-2026-11414 CRITICAL CVSS 10.0 CVE-2026-11420 CRITICAL CVSS 10.0 CVE-2026-3611 CRITICAL CVSS 10.0 CVE-2026-46389 CRITICAL CVSS 10.0
← Back to all records