### [CVE-2016-10726](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10726)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brightgreen)

### Description

The XMLUI feature in DSpace before 3.6, 4.x before 4.5, and 5.x before 5.5 allows directory traversal via the themes/ path in an attack with two or more arbitrary characters and a colon before a pathname, as demonstrated by a themes/Reference/aa:etc/passwd URI.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/AmiraliSajadi/iris-fork
- https://github.com/Liby99/cwe-bench-java
- https://github.com/PuddinCat/GithubRepoSpider
- https://github.com/iris-sast/cwe-bench-java
- https://github.com/iris-sast/iris
- https://github.com/shoucheng3/DSpace__DSpace_CVE-2016-10726_4-4