How severe is CVE-2026-1246?

Medium severity. CVSS v3 base score is 4.9 out of 10.

Path Traversal in Shortpixel Image Optimizer – Optimize Images, Convert Webp & Avif

CVE-2026-1246

The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the 'loadFile' parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (19.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.9 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N.

Affected products

Shortpixel Image Optimizer – Optimize Images, Convert Webp & Avif — versions 0

Weakness classification (CWE)

CWE-22 — Path Traversal

References

Frequently asked questions

What is CVE-2026-1246?: CVE-2026-1246 is a medium-severity vulnerability in Shortpixel Image Optimizer – Optimize Images, Convert Webp & Avif, classified under Path Traversal. CVSS score: 4.9/10. Published 2026-02-05.
How severe is CVE-2026-1246?: Medium severity. CVSS v3 base score is 4.9 out of 10.