{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/banana-slides--0.4.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-49136"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Banana Slides \u003c= 0.4.0"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBanana Slides version 0.4.0 is vulnerable to a path traversal vulnerability, identified as CVE-2026-49136, within the AI service backend\u0026rsquo;s \u003ccode\u003egenerate_image()\u003c/code\u003e function. This flaw allows unauthenticated attackers to bypass intended directory confinement, reading arbitrary image-format files from outside the uploads directory. The vulnerability stems from an incomplete path prefix check using \u003ccode\u003eos.path.startswith()\u003c/code\u003e without a trailing separator. By crafting markdown image references in user-controlled page descriptions, attackers can target sibling directories sharing the uploads folder prefix. This bypasses the intended security measure, enabling unauthorized file access via PIL \u003ccode\u003eImage.open()\u003c/code\u003e. The vulnerability was patched in commit e8bc490.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious payload containing a markdown image reference within a user-controlled page description. This payload is designed to exploit the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eThe crafted markdown image reference includes a path that resolves to a sibling directory whose name shares the same prefix as the uploads directory (e.g., if the uploads directory is \u003ccode\u003e/var/www/bananaslides/uploads\u003c/code\u003e, a sibling directory might be \u003ccode\u003e/var/www/bananaslides/uploads_backup\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egenerate_image()\u003c/code\u003e function in the AI service backend processes the markdown content and attempts to generate the image.\u003c/li\u003e\n\u003cli\u003eThe application uses \u003ccode\u003eos.path.startswith()\u003c/code\u003e to validate that the path of the requested image begins with the uploads directory path. However, the check lacks a trailing separator (e.g., \u003ccode\u003e/var/www/bananaslides/uploads/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDue to the missing trailing separator, the check incorrectly validates paths to sibling directories that share the prefix.\u003c/li\u003e\n\u003cli\u003eThe application then uses PIL\u0026rsquo;s \u003ccode\u003eImage.open()\u003c/code\u003e function to open and process the image file located at the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eBecause the path traversal was successful, the application reads the contents of an arbitrary image file outside the intended uploads directory.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully retrieves the contents of the targeted file.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-49136 allows unauthenticated attackers to read sensitive image-format files from arbitrary locations on the server. This could lead to the exposure of confidential data, including configuration files containing credentials, private keys, or other sensitive information. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Banana Slides to a version greater than 0.4.0, which includes the patch from commit e8bc490, to remediate CVE-2026-49136.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-49136 Exploitation Attempt — Path Traversal in Banana Slides\u0026rdquo; to your SIEM to detect exploitation attempts based on HTTP request patterns.\u003c/li\u003e\n\u003cli\u003eReview webserver access logs for requests containing path traversal sequences in the \u003ccode\u003ecs-uri-query\u003c/code\u003e or \u003ccode\u003ecs-uri-stem\u003c/code\u003e fields, specifically targeting image-related endpoints as identified in the vulnerability description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-01T21:19:30Z","date_published":"2026-06-01T21:19:30Z","id":"https://feed.craftedsignal.io/briefs/2026-06-banana-slides-path-traversal/","summary":"Banana Slides version 0.4.0 contains a path traversal vulnerability (CVE-2026-49136) in the generate_image() function that allows unauthenticated attackers to read arbitrary image-format files outside the intended uploads directory by exploiting an incomplete path prefix check.","title":"Banana Slides Path Traversal Vulnerability (CVE-2026-49136)","url":"https://feed.craftedsignal.io/briefs/2026-06-banana-slides-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Banana Slides \u003c= 0.4.0","version":"https://jsonfeed.org/version/1.1"}