Product
Crabbox versions before 0.9.0 contain a path traversal vulnerability (CVE-2026-45224) in the Islo provider's workspace path resolution, allowing attackers to cause arbitrary file deletion and overwrite by crafting malicious .crabbox.yaml files with traversal sequences when sync.delete is enabled.