{"uuid": "c08e57bc-2bba-4d03-8016-6fd55afeced5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-12568", "type": "seen", "source": "https://gist.github.com/alon710/77831f5963e3a7aeac8b1ac3758c9a18", "content": "# CVE-2026-12568: CVE-2026-12568: Path Traversal and Arbitrary File Write in BBOT postman_download Module\n\n> **CVSS Score:** 6.5\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/CVE-2026-12568\n\n## Summary\nCVE-2026-12568 is a path traversal vulnerability (CWE-22) in the postman_download module of BBOT (Babbage Border Obsession Tool) version 2.1.0 through 2.8.5. The vulnerability allows an attacker to perform arbitrary file writes on the local machine running the BBOT scan via a maliciously named remote Postman workspace.\n\n## TL;DR\nA path traversal vulnerability in BBOT's postman_download module allows remote attackers to execute arbitrary file writes using crafted Postman workspace names.\n\n## Technical Details\n\n- **CWE ID**: CWE-22\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 6.5\n- **EPSS Score**: 0.00251 (Percentile: 16.15%)\n- **Impact**: Arbitrary File Write\n- **Exploit Status**: None\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- BBOT (Babbage Border Obsession Tool)\n- **BBOT**: >= 2.1.0, <= 2.8.5 (Fixed in: `2.8.6`)\n\n## Mitigation\n\n- Upgrade BBOT to a version newer than 2.8.5\n- Apply path sanitization and canonical path validation checks to the postman_download module\n\n**Remediation Steps:**\n1. Identify installations running BBOT versions <= 2.8.5.\n2. Execute pip install --upgrade bbot or update the dependency in your environment manager.\n3. Verify the installation of version 2.8.6 or newer.\n4. If updating is restricted, manually apply the path validation logic using pathlib's resolve() and is_relative_to() methods to the postman_download.py module.\n\n## References\n\n- [https://www.cve.org/CVERecord?id=CVE-2026-12568](https://www.cve.org/CVERecord?id=CVE-2026-12568)\n- [https://github.com/blacklanternsecurity/bbot/commit/36bc20818206a59f6d430e905248f85c439e5397](https://github.com/blacklanternsecurity/bbot/commit/36bc20818206a59f6d430e905248f85c439e5397)\n- [https://api.first.org/data/v1/epss?cve=CVE-2026-12568](https://api.first.org/data/v1/epss?cve=CVE-2026-12568)\n- [https://attack.mitre.org/search/?search=CVE-2026-12568](https://attack.mitre.org/search/?search=CVE-2026-12568)\n- [https://www.shodan.io/search?query=CVE-2026-12568](https://www.shodan.io/search?query=CVE-2026-12568)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-12568) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T16:21:14.000000Z"}