QwikSec

Security Database

CVE

CWE

Training

CVE-2021-4463

Published: Nov 12, 2025

Modified: May 14, 2026

PUBLISHED

Description

Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory.

Vendor	Product	Versions
Shenzhen Longjing Technology Co. Ltd.	BEMS API	affected `0 - <= 1.21`

Weaknesses (CWE)

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php

technical-description

exploit

https://www.exploit-db.com/exploits/50163

exploit

https://packetstormsecurity.com/files/163702

exploit

https://cxsecurity.com/issue/WLB-2021070173

exploit

https://exchange.xforce.ibmcloud.com/vulnerabilities/206477

vdb-entry

https://web.archive.org/web/20220527162453/http://www.ljkj2012.com/

product

https://www.vulncheck.com/advisories/longjing-technology-bems-api-remote-arbitrary-file-download

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.