PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10074 Interinfo CVE debrief

## Summary CVE-2026-10074 documents an Arbitrary File Read vulnerability in DreamMaker, a product developed by Interinfo. The vulnerability stems from Relative Path Traversal (CWE-23) and can be exploited by privileged local attackers to download arbitrary system files. The vulnerability was published to the CVE List on 2026-05-29 and carries a CVSS 4.0 base score of 6.9 (MEDIUM severity). The NVD entry currently shows a status of 'Deferred,' indicating the record is awaiting analysis.

Vendor
Interinfo
Product
DreamMaker
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations running Interinfo DreamMaker in production environments, particularly those with multi-user deployments where privilege separation is critical. Security teams responsible for file integrity monitoring and data loss prevention should prioritize monitoring for this vulnerability given its potential to expose sensitive system files.

Technical summary

The vulnerability allows privileged local attackers to exploit Relative Path Traversal (CWE-23) in DreamMaker to download arbitrary system files. The attack requires high privileges (PR:H) but can be executed over the network (AV:N) with low attack complexity (AC:L). Successful exploitation results in high confidentiality impact (VC:H) with no integrity or availability impact. The specific path traversal entry points within DreamMaker are not detailed in available sources.

Defensive priority

medium

Recommended defensive actions

  • Review and apply security updates from Interinfo for DreamMaker when available, monitoring the TW-CERT advisories for patch notifications
  • Audit DreamMaker deployments for unauthorized file access attempts in system logs, particularly focusing on download or file retrieval operations
  • Implement principle of least privilege for DreamMaker service accounts to reduce exposure from the 'privileged local attacker' requirement
  • Apply input validation and path canonicalization controls to any custom integrations with DreamMaker that handle file paths
  • Consider network segmentation to limit DreamMaker's access to sensitive system files, reducing the impact of successful exploitation

Evidence notes

The vulnerability description identifies DreamMaker by Interinfo as the affected product. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N) indicates network attack vector with high privileges required, high confidentiality impact, but no integrity or availability impact. The weakness is classified as CWE-23 (Relative Path Traversal). Two references from Taiwan's TW-CERT are provided, though the specific technical details of the path traversal mechanism are not elaborated in the available source data. The vendor attribution carries low confidence due to limited source information.

Official resources

2026-05-29