CVE-2026-1018 – The Police Statistics Database System developed... (How to Fix)

Q: What is the severity of CVE-2026-1018?

CVE-2026-1018 has a CVSS score of 7.5 (HIGH). The Police Statistics Database System developed by Gotac contains an unauthenticated arbitrary file read vulnerability via absolute path traversal. This allows remote attackers to download any system files without authentication. Organizations using this software are affected.

📋 TL;DR

The Police Statistics Database System developed by Gotac contains an unauthenticated arbitrary file read vulnerability via absolute path traversal. This allows remote attackers to download any system files without authentication. Organizations using this software are affected.

💻 Affected Systems

Products:

Police Statistics Database System

Versions: All versions prior to patch

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the web interface component of the database system.

📦 What is this software?

Police Statistics Database System by Gotac

View all CVEs affecting Police Statistics Database System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could exfiltrate sensitive police data, system configuration files, credentials, and other critical information, potentially leading to data breaches and system compromise.

🟠

Likely Case

Attackers will download configuration files, database credentials, and sensitive police statistics data for reconnaissance and further attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to the exposed system's files only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and uses simple path traversal techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Latest version from vendor

Vendor Advisory: https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html

Restart Required: Yes

Instructions:

1. Contact Gotac for the latest patched version. 2. Backup current installation. 3. Install the patched version. 4. Restart the application service.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict access to the Police Statistics Database System web interface to authorized IP addresses only.

Web Application Firewall Rules

all

Implement WAF rules to block path traversal patterns and file read attempts.

🧯 If You Can't Patch

Isolate the system on a separate network segment with strict access controls
Implement application-level input validation to sanitize file path parameters

🔍 How to Verify

Check if Vulnerable:

Attempt to access system files via the web interface using path traversal payloads like '../../../../etc/passwd' or 'C:\Windows\system.ini'

Check Version:

Check the application version in the web interface or configuration files

Verify Fix Applied:

Test the same path traversal attempts after patching - they should return error messages instead of file contents

📡 Detection & Monitoring

Log Indicators:

Multiple failed file access attempts
Requests containing '../' patterns
Access to unusual file paths

Network Indicators:

Unusual outbound data transfers from the database server
HTTP requests with file path parameters

SIEM Query:

source="web_server" AND (uri="*../*" OR uri="*..\\*" OR uri="*file=*" OR uri="*path=*")

📊 Metadata

CVE ID: CVE-2026-1018

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-36

EPSS Score: 0.09% exploit probability (25.5th percentile)

Published: January 16, 2026

Last Updated: January 23, 2026

🔗 References

https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1018, you might also want to check these: