CWE-23
Relative Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
CVE-2026-41551 (GCVE-0-2026-41551)
Vulnerability from cvelistv5 – Published: 2026-05-12 08:21 – Updated: 2026-05-12 12:40
VLAI
Summary
A vulnerability has been identified in ROS# (All versions < V2.2.2). Affected versions contain a path traversal vulnerability because user input is not properly sanitized.
This could allow a remote attacker to access arbitrary files on the device.
Severity
9.1 (Critical)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41551",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T12:40:22.658338Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:40:31.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ROS#",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V2.2.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in ROS# (All versions \u003c V2.2.2). Affected versions contain a path traversal vulnerability because user input is not properly sanitized.\r\nThis could allow a remote attacker to access arbitrary files on the device."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T08:21:18.261Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-357982.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2026-41551",
"datePublished": "2026-05-12T08:21:18.261Z",
"dateReserved": "2026-04-21T08:01:09.876Z",
"dateUpdated": "2026-05-12T12:40:31.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41612 (GCVE-0-2026-41612)
Vulnerability from cvelistv5 – Published: 2026-05-12 16:58 – Updated: 2026-05-26 16:56
VLAI
Title
Visual Studio Code Information Disclosure Vulnerability
Summary
Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.
Severity
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Visual Studio Code - Live Preview extension |
Affected:
0.4.0 , < 0.4.19
(custom)
|
Date Public
2026-05-12 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41612",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T10:14:06.534266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T10:26:57.667Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Visual Studio Code - Live Preview extension",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "0.4.19",
"status": "affected",
"version": "0.4.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:livepreview:*:*",
"versionEndExcluding": "0.4.19",
"versionStartIncluding": "0.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-05-12T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en-US",
"type": "CWE"
},
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T16:56:33.632Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Visual Studio Code Information Disclosure Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41612"
}
],
"title": "Visual Studio Code Information Disclosure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-41612",
"datePublished": "2026-05-12T16:58:57.229Z",
"dateReserved": "2026-04-21T22:14:12.923Z",
"dateUpdated": "2026-05-26T16:56:33.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41948 (GCVE-0-2026-41948)
Vulnerability from cvelistv5 – Published: 2026-05-18 13:50 – Updated: 2026-05-26 16:07 X_Open Source
VLAI
Title
Dify v1.14.1 Path Traversal via Plugin Daemon Internal API Access
Summary
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in task identifiers or manipulated filename parameters to access internal endpoints such as debug interfaces, requiring only knowledge of the victim tenant's UUID. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.
Severity
9.4 (Critical)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://huntr.com/bounties/35b7ad59-e35d-443f-bf7… | technical-descriptionexploit |
| https://github.com/langgenius/dify/pull/35796 | issue-tracking |
| https://www.vulncheck.com/advisories/dify-path-tr… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| langgenius | dify |
Affected:
0 , ≤ 1.14.1
(semver)
|
Date Public
2026-03-30 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41948",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T14:38:43.720028Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T14:38:57.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "dify",
"vendor": "langgenius",
"versions": [
{
"lessThanOrEqual": "1.14.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ido Shani and Gal Zaban of Zafran Security"
}
],
"datePublic": "2026-03-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon\u0027s internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in task identifiers or manipulated filename parameters to access internal endpoints such as debug interfaces, requiring only knowledge of the victim tenant\u0027s UUID. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T16:07:59.799Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://huntr.com/bounties/35b7ad59-e35d-443f-bf77-387bfb932ec0"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/langgenius/dify/pull/35796"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/dify-path-traversal-via-plugin-daemon-internal-api-access"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Dify v1.14.1 Path Traversal via Plugin Daemon Internal API Access",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41948",
"datePublished": "2026-05-18T13:50:21.372Z",
"dateReserved": "2026-04-22T18:50:43.622Z",
"dateUpdated": "2026-05-26T16:07:59.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42085 (GCVE-0-2026-42085)
Vulnerability from cvelistv5 – Published: 2026-05-04 17:13 – Updated: 2026-05-04 18:47
VLAI
Title
OpenC3 COSMOS: Arbitrary write to plugins directory via path-traversed config filenames
Summary
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, OpenC3 COSMOS contains a design flaw in the save_tool_config() function that allows saving tool configuration files at arbitrary locations inside the shared /plugins directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path traversal attacks, by canonicalizing filename to an absolute path, all plugins share this same root directory. That enables users to create arbitrary file structures and overwrite existing configuration files within the shared /plugins directory. This issue has been patched in versions 6.10.5 and 7.0.0-rc3.
Severity
4.3 (Medium)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/OpenC3/cosmos/security/advisor… | x_refsource_CONFIRM |
| https://github.com/OpenC3/cosmos/commit/9957a9fa4… | x_refsource_MISC |
| https://github.com/OpenC3/cosmos/commit/e6efccbd1… | x_refsource_MISC |
| https://github.com/OpenC3/cosmos/releases/tag/v6.10.5 | x_refsource_MISC |
| https://github.com/OpenC3/cosmos/releases/tag/v7.… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42085",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T18:43:28.813129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T18:47:32.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-4jvx-93h3-f45h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cosmos",
"vendor": "OpenC3",
"versions": [
{
"status": "affected",
"version": "\u003c 6.10.5"
},
{
"status": "affected",
"version": "\u003e= 7.0.0.pre.rc1, \u003c 7.0.0-rc3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, OpenC3 COSMOS contains a design flaw in the save_tool_config() function that allows saving tool configuration files at arbitrary locations inside the shared /plugins directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path traversal attacks, by canonicalizing filename to an absolute path, all plugins share this same root directory. That enables users to create arbitrary file structures and overwrite existing configuration files within the shared /plugins directory. This issue has been patched in versions 6.10.5 and 7.0.0-rc3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T17:13:39.277Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-4jvx-93h3-f45h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-4jvx-93h3-f45h"
},
{
"name": "https://github.com/OpenC3/cosmos/commit/9957a9fa460c0c0cf5cdbf6a5931bbdd025246a5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenC3/cosmos/commit/9957a9fa460c0c0cf5cdbf6a5931bbdd025246a5"
},
{
"name": "https://github.com/OpenC3/cosmos/commit/e6efccbd148ba0e3361c5891027f2373aa140d42",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenC3/cosmos/commit/e6efccbd148ba0e3361c5891027f2373aa140d42"
},
{
"name": "https://github.com/OpenC3/cosmos/releases/tag/v6.10.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenC3/cosmos/releases/tag/v6.10.5"
},
{
"name": "https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3"
}
],
"source": {
"advisory": "GHSA-4jvx-93h3-f45h",
"discovery": "UNKNOWN"
},
"title": "OpenC3 COSMOS: Arbitrary write to plugins directory via path-traversed config filenames"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42085",
"datePublished": "2026-05-04T17:13:39.277Z",
"dateReserved": "2026-04-23T19:17:30.566Z",
"dateUpdated": "2026-05-04T18:47:32.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43533 (GCVE-0-2026-43533)
Vulnerability from cvelistv5 – Published: 2026-05-05 11:25 – Updated: 2026-05-06 12:42 X_Open Source
VLAI
Title
OpenClaw < 2026.4.10 - Arbitrary Local File Read via QQBot Media Tags
Summary
OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling.
Severity
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | vendor-advisory |
| https://github.com/openclaw/openclaw/commit/60477… | patch |
| https://www.vulncheck.com/advisories/openclaw-arb… | third-party-advisory |
Impacted products
Date Public
2026-04-16 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43533",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T12:41:49.362441Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T12:42:03.559Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/openclaw",
"product": "OpenClaw",
"vendor": "OpenClaw",
"versions": [
{
"lessThan": "2026.4.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2026.4.10",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "2026.4.10",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "feiyang666"
}
],
"datePublic": "2026-04-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T11:25:05.764Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-66r7-m7xm-v49h)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-66r7-m7xm-v49h"
},
{
"name": "Patch Commit",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/604777e4414cc3b2ff8861f18f4fb04374c702c6"
},
{
"name": "VulnCheck Advisory: OpenClaw \u003c 2026.4.10 - Arbitrary Local File Read via QQBot Media Tags",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-local-file-read-via-qqbot-media-tags"
}
],
"tags": [
"x_open-source"
],
"title": "OpenClaw \u003c 2026.4.10 - Arbitrary Local File Read via QQBot Media Tags",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-43533",
"datePublished": "2026-05-05T11:25:05.764Z",
"dateReserved": "2026-05-01T16:56:19.947Z",
"dateUpdated": "2026-05-06T12:42:03.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43616 (GCVE-0-2026-43616)
Vulnerability from cvelistv5 – Published: 2026-05-04 17:33 – Updated: 2026-05-04 19:39 X_Open Source
VLAI
Title
Detect-It-Easy < 3.21 Path Traversal Arbitrary File Write
Summary
Detect-It-Easy prior to 3.21 contains a path traversal vulnerability that allows attackers to write arbitrary files to the filesystem by crafting malicious archive entries with relative traversal sequences or absolute paths. Attackers can exploit insufficient path normalization during archive extraction to write files outside the intended extraction directory and achieve persistent code execution by overwriting user startup scripts.
Severity
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/horsicq/DIE-engine/releases/tag/3.21 | release-notespatch |
| https://github.com/horsicq/Detect-It-Easy | product |
| https://github.com/horsicq/Formats/commit/56cdf50… | patch |
| https://github.com/horsicq/XArchive/commit/6a2aa8… | patch |
| https://github.com/horsicq/DIE-engine/commit/cbbe… | patch |
| https://github.com/horsicq/DIE-engine/commit/7fd3… | patch |
| https://www.vulncheck.com/advisories/detect-it-ea… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| horsicq | DIE-engine |
Affected:
0 , < 3.21.0
(semver)
|
Date Public
2026-04-06 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43616",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T19:38:52.093440Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T19:39:05.720Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "DIE-engine",
"vendor": "horsicq",
"versions": [
{
"lessThan": "3.21.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mobasi Security Team"
}
],
"datePublic": "2026-04-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Detect-It-Easy prior to 3.21 contains a path traversal vulnerability that allows attackers to write arbitrary files to the filesystem by crafting malicious archive entries with relative traversal sequences or absolute paths. Attackers can exploit insufficient path normalization during archive extraction to write files outside the intended extraction directory and achieve persistent code execution by overwriting user startup scripts."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T17:33:48.591Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://github.com/horsicq/DIE-engine/releases/tag/3.21"
},
{
"tags": [
"product"
],
"url": "https://github.com/horsicq/Detect-It-Easy"
},
{
"tags": [
"patch"
],
"url": "https://github.com/horsicq/Formats/commit/56cdf50ee3c72c56284e2819b23e98332842d259"
},
{
"tags": [
"patch"
],
"url": "https://github.com/horsicq/XArchive/commit/6a2aa84c2fd120b704f76bb5c5ee3e9b5a7a0fcc"
},
{
"tags": [
"patch"
],
"url": "https://github.com/horsicq/DIE-engine/commit/cbbe1688e58ffd430d284bf65f336973f083db69"
},
{
"tags": [
"patch"
],
"url": "https://github.com/horsicq/DIE-engine/commit/7fd300b926daf19707b2a36f0abe8b60a51308ee"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/detect-it-easy-path-traversal-arbitrary-file-write"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Detect-It-Easy \u003c 3.21 Path Traversal Arbitrary File Write",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-43616",
"datePublished": "2026-05-04T17:33:48.591Z",
"dateReserved": "2026-05-01T18:22:45.639Z",
"dateUpdated": "2026-05-04T19:39:05.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4415 (GCVE-0-2026-4415)
Vulnerability from cvelistv5 – Published: 2026-03-30 07:36 – Updated: 2026-03-31 03:55
VLAI
Title
GIGABYTE|Gigabyte Control Center - Arbitrary File Write
Summary
Gigabyte Control Center developed by GIGABYTE has an Arbitrary File Write vulnerability. When the pairing feature is enabled, unauthenticated remote attackers can write arbitrary files to any location on the underlying operating system, leading to arbitrary code execution or privilege escalation.
Severity
8.1 (High)
CWE
- CWE-23 - Relative path traversal
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-10803-ae014-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-10804-689cd-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| GIGABYTE | Gigabyte Control Center |
Affected:
0 , ≤ 25.07.21.01
(custom)
|
Date Public
2026-03-30 07:32
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T03:55:38.063Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gigabyte Control Center",
"vendor": "GIGABYTE",
"versions": [
{
"lessThanOrEqual": "25.07.21.01",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-03-30T07:32:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Gigabyte Control Center developed by GIGABYTE has an Arbitrary File Write vulnerability. When the pairing feature is enabled, unauthenticated remote attackers can write arbitrary files to any location on the underlying operating system, leading to arbitrary code execution or privilege escalation."
}
],
"value": "Gigabyte Control Center developed by GIGABYTE has an Arbitrary File Write vulnerability. When the pairing feature is enabled, unauthenticated remote attackers can write arbitrary files to any location on the underlying operating system, leading to arbitrary code execution or privilege escalation."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative path traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T07:53:32.519Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-10803-ae014-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-10804-689cd-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Please update to version 25.12.10.01 or later."
}
],
"value": "Please update to version 25.12.10.01 or later."
}
],
"source": {
"advisory": "TVN-202603008",
"discovery": "EXTERNAL"
},
"title": "GIGABYTE\uff5cGigabyte Control Center - Arbitrary File Write",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2026-4415",
"datePublished": "2026-03-30T07:36:16.066Z",
"dateReserved": "2026-03-19T02:53:07.470Z",
"dateUpdated": "2026-03-31T03:55:38.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48126 (GCVE-0-2026-48126)
Vulnerability from cvelistv5 – Published: 2026-05-26 16:44 – Updated: 2026-05-26 17:27
VLAI
Title
Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir
Summary
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8.
Severity
8.2 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/xyproto/algernon/security/advi… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48126",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T17:27:29.590530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T17:27:56.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xyproto/algernon/security/advisories/GHSA-jc3j-x6pg-4hmv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "algernon",
"vendor": "xyproto",
"versions": [
{
"status": "affected",
"version": "\u003c 1.17.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory \u2014 arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-644",
"description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T16:44:09.104Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xyproto/algernon/security/advisories/GHSA-jc3j-x6pg-4hmv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xyproto/algernon/security/advisories/GHSA-jc3j-x6pg-4hmv"
}
],
"source": {
"advisory": "GHSA-jc3j-x6pg-4hmv",
"discovery": "UNKNOWN"
},
"title": "Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48126",
"datePublished": "2026-05-26T16:44:09.104Z",
"dateReserved": "2026-05-20T18:46:58.291Z",
"dateUpdated": "2026-05-26T17:27:56.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5966 (GCVE-0-2026-5966)
Vulnerability from cvelistv5 – Published: 2026-04-20 07:40 – Updated: 2026-04-20 13:30
VLAI
Title
TeamT5|ThreatSonar Anti-Ransomware - Arbitrary File Deletion
Summary
ThreatSonar Anti-Ransomware developed by TeamT5 has an Arbitrary File Deletion vulnerability. Authenticated remote attackers with web access can exploit Path Traversal to delete arbitrary files on the system.
Severity
CWE
- CWE-23 - Relative path traversal
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TeamT5 | ThreatSonar Anti-Ransomware |
Affected:
0 , ≤ 4.0.0
(custom)
|
Date Public
2026-04-20 07:37
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5966",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T13:30:17.764113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:30:25.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ThreatSonar Anti-Ransomware",
"vendor": "TeamT5",
"versions": [
{
"lessThanOrEqual": "4.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-04-20T07:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ThreatSonar Anti-Ransomware developed by TeamT5 has an Arbitrary File Deletion vulnerability. Authenticated remote attackers with web access can exploit Path Traversal to delete arbitrary files on the system."
}
],
"value": "ThreatSonar Anti-Ransomware developed by TeamT5 has an Arbitrary File Deletion vulnerability. Authenticated remote attackers with web access can exploit Path Traversal to delete arbitrary files on the system."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative path traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T07:40:33.323Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Please install hotpatch version 20260302."
}
],
"value": "Please install hotpatch version 20260302."
}
],
"source": {
"advisory": "TVN-202604007",
"discovery": "EXTERNAL"
},
"title": "TeamT5\uff5cThreatSonar Anti-Ransomware - Arbitrary File Deletion",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2026-5966",
"datePublished": "2026-04-20T07:40:33.323Z",
"dateReserved": "2026-04-09T10:34:44.214Z",
"dateUpdated": "2026-04-20T13:30:25.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7404 (GCVE-0-2026-7404)
Vulnerability from cvelistv5 – Published: 2026-04-29 20:15 – Updated: 2026-04-30 12:24
VLAI
Title
getsimpletool mcpo-simple-server base_manager.py delete_shared_prompt path traversal
Summary
A weakness has been identified in getsimpletool mcpo-simple-server up to 0.2.0. Affected is the function delete_shared_prompt of the file src/mcpo_simple_server/services/prompt_manager/base_manager.py. This manipulation of the argument detail causes relative path traversal. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Severity
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/360140 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/360140/cti | signaturepermissions-required |
| https://vuldb.com/submit/803612 | third-party-advisory |
| https://github.com/getsimpletool/mcpo-simple-serv… | exploitissue-tracking |
| https://github.com/getsimpletool/mcpo-simple-server/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| getsimpletool | mcpo-simple-server |
Affected:
0.1
Affected: 0.2.0 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7404",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-30T12:24:00.517849Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T12:24:10.022Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mcpo-simple-server",
"vendor": "getsimpletool",
"versions": [
{
"status": "affected",
"version": "0.1"
},
{
"status": "affected",
"version": "0.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "LargeW (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in getsimpletool mcpo-simple-server up to 0.2.0. Affected is the function delete_shared_prompt of the file src/mcpo_simple_server/services/prompt_manager/base_manager.py. This manipulation of the argument detail causes relative path traversal. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T20:15:14.578Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-360140 | getsimpletool mcpo-simple-server base_manager.py delete_shared_prompt path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/360140"
},
{
"name": "VDB-360140 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/360140/cti"
},
{
"name": "Submit #803612 | getsimpletool simpletool-server 035efb1c98076ca3febd5e1f5fc3960f81a16af8 Pathname Traversal",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/803612"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/getsimpletool/mcpo-simple-server/issues/4"
},
{
"tags": [
"product"
],
"url": "https://github.com/getsimpletool/mcpo-simple-server/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-29T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-29T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-29T15:01:07.000Z",
"value": "VulDB entry last update"
}
],
"title": "getsimpletool mcpo-simple-server base_manager.py delete_shared_prompt path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7404",
"datePublished": "2026-04-29T20:15:14.578Z",
"dateReserved": "2026-04-29T12:56:01.921Z",
"dateUpdated": "2026-04-30T12:24:10.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-5.1
Phase: Implementation
Strategy: Input Validation
Description:
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation ID: MIT-20.1
Phase: Implementation
Strategy: Input Validation
Description:
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
- Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
- realpath() in C
- getCanonicalPath() in Java
- GetFullPath() in ASP.NET
- realpath() or abs_path() in Perl
- realpath() in PHP
Mitigation ID: MIT-29
Phase: Operation
Strategy: Firewall
Description:
- Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-139: Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.