{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/directory-traversal/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41383"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["cve-2026-41383","directory-traversal","file-deletion","openclaw"],"_cs_type":"advisory","_cs_vendors":["openclaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.4.2 is susceptible to an arbitrary directory deletion vulnerability (CVE-2026-41383) when operating in mirror mode. An attacker with control over the OpenShell configuration paths, specifically \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e and \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e, can trigger the deletion of unintended remote directory contents. This is achieved by manipulating these configuration values to point to sensitive directories. The subsequent mirror sync operation replaces the deleted contents with data from the attacker\u0026rsquo;s workspace, leading to data loss and potential system compromise. This vulnerability allows an attacker to potentially wipe out important data on the remote end.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to the OpenClaw configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e and/or \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e configuration values to point to a target directory they wish to delete.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a mirror sync operation.\u003c/li\u003e\n\u003cli\u003eOpenClaw, using the attacker-controlled path, connects to the remote system.\u003c/li\u003e\n\u003cli\u003eOpenClaw deletes the contents of the directory specified by the modified \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e or \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eOpenClaw uploads the contents of the attacker\u0026rsquo;s local workspace to the now-empty remote directory, effectively replacing the original data.\u003c/li\u003e\n\u003cli\u003eThe targeted remote directory now contains the attacker\u0026rsquo;s data instead of the original contents.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary directory deletion and data replacement, potentially causing significant disruption and data loss.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to arbitrary deletion of files and directories on the remote system where OpenClaw is used in mirror mode. The impact includes potential data loss, service disruption, and the replacement of legitimate data with attacker-controlled content. Given the CVSS v3.1 score of 8.1, this vulnerability is considered high severity due to the potential for significant data integrity and availability impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.2 or later to remediate CVE-2026-41383.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw configuration files for unauthorized modifications to \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e and \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e using a file integrity monitoring system.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to OpenClaw configuration files to prevent unauthorized modification of these settings.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious process execution related to modification of openclaw configuration files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-directory-deletion/","summary":"OpenClaw before 2026.4.2 is vulnerable to arbitrary directory deletion in mirror mode, enabling attackers to delete remote directories by manipulating remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values.","title":"OpenClaw Arbitrary Directory Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-directory-deletion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-24884"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["npm","supply-chain","symlink","directory-traversal","privilege-escalation","arbitrary-file-overwrite"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003ecompressing\u003c/code\u003e npm package (v2.1.0 and earlier) contains a critical vulnerability that permits arbitrary file overwrites due to a symlink path traversal bypass. This bypass affects the patch for CVE-2026-24884. The vulnerability arises from an incomplete validation in the \u003ccode\u003eisPathWithinParent\u003c/code\u003e utility, where path string checks are performed without verifying the filesystem state, specifically symbolic links. By cloning a malicious repository containing a pre-existing symbolic link, a victim unknowingly plants a \u0026ldquo;poisoned path\u0026rdquo; on their system. The attacker can then craft a malicious archive that, when extracted by the vulnerable library, follows the symlink and overwrites arbitrary files. The ease of exploitation via \u003ccode\u003egit clone\u003c/code\u003e makes this vulnerability particularly dangerous.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious Git repository containing a symbolic link (e.g., \u003ccode\u003econfig_file\u003c/code\u003e) pointing to a sensitive target file or directory (e.g., \u003ccode\u003e/tmp/fake_root/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker generates a malicious payload (e.g., \u003ccode\u003epayload.tar\u003c/code\u003e) containing a file with the same name as the symbolic link (e.g., \u003ccode\u003econfig_file\u003c/code\u003e) and uploads both to their Git repository.\u003c/li\u003e\n\u003cli\u003eVictim clones the attacker\u0026rsquo;s Git repository using \u003ccode\u003egit clone\u003c/code\u003e. This action automatically restores the symbolic link on the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eVictim runs an application that utilizes the vulnerable \u003ccode\u003ecompressing\u003c/code\u003e library to extract the \u003ccode\u003epayload.tar\u003c/code\u003e archive.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecompressing\u003c/code\u003e library\u0026rsquo;s \u003ccode\u003eisPathWithinParent\u003c/code\u003e function resolves the path to the file being extracted. Due to lack of \u003ccode\u003elstat\u003c/code\u003e checks, the symbolic link is not detected.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efs.writeFile\u003c/code\u003e function follows the symlink, writing the contents of the file from \u003ccode\u003epayload.tar\u003c/code\u003e to the targeted sensitive file (e.g., \u003ccode\u003e/tmp/fake_root/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eArbitrary file overwrite occurs, potentially leading to privilege escalation or code execution.\u003c/li\u003e\n\u003cli\u003eAttacker achieves persistent access or control by overwriting critical system files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to overwrite arbitrary files on the victim\u0026rsquo;s system, potentially leading to privilege escalation by modifying sensitive system files such as \u003ccode\u003e/etc/passwd\u003c/code\u003e. Remote Code Execution (RCE) can be achieved by overwriting executable binaries or startup scripts. Data corruption can also occur through the modification of application data or database files. This vulnerability impacts developers and organizations using the \u003ccode\u003ecompressing\u003c/code\u003e library up to version v2.1.0 when extracting untrusted archives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ecompressing\u003c/code\u003e npm package to a patched version that includes proper symlink handling. This is the primary remediation.\u003c/li\u003e\n\u003cli\u003eInspect Git repositories for suspicious symbolic links before cloning. Use \u003ccode\u003egit ls-tree -r \u0026lt;commit-ish\u0026gt; | grep 120000\u003c/code\u003e to search for symlinks in a repository.\u003c/li\u003e\n\u003cli\u003eImplement runtime monitoring for file writes to unexpected locations based on the \u003ccode\u003ecompressing\u003c/code\u003e library\u0026rsquo;s activity. Create a detection rule based on \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003efile_event\u003c/code\u003e to detect writes to sensitive directories such as \u003ccode\u003e/etc\u003c/code\u003e by processes spawned by Node.js that also load the vulnerable \u003ccode\u003ecompressing\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from processes related to the \u003ccode\u003ecompressing\u003c/code\u003e library after file extraction. Create a Sigma rule based on \u003ccode\u003enetwork_connection\u003c/code\u003e and \u003ccode\u003eprocess_creation\u003c/code\u003e to detect unusual outbound connections after archive extraction.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-compressing-symlink-bypass/","summary":"A vulnerability in the `compressing` npm package (\u003c=v2.1.0) allows for arbitrary file overwrite via symlink path traversal, bypassing a previous patch for CVE-2026-24884.","title":"compressing npm Package Symlink Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-compressing-symlink-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-35446"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["directory-traversal","web-application","neuroimaging"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application designed for data and project management in neuroimaging research. Versions 24.0.0 up to, but not including, 27.0.3 and 28.0.1 contain a directory traversal vulnerability (CVE-2026-35446) in the FilesDownloadHandler. This flaw stems from an incorrect order of operations, potentially enabling an attacker to escape the intended download directories and access sensitive files. Successful exploitation requires authentication and could lead to unauthorized access to sensitive research data. Users are advised to upgrade to versions 27.0.3 or 28.0.1 to mitigate this vulnerability. This vulnerability impacts organizations utilizing LORIS for managing sensitive neuroimaging data, potentially exposing research data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the LORIS web application with valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the \u003ccode\u003eFilesDownloadHandler\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated file path designed to traverse directories outside the intended download directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eFilesDownloadHandler\u003c/code\u003e processes the request with an incorrect order of operations when validating the file path.\u003c/li\u003e\n\u003cli\u003eThe application bypasses the intended directory restrictions due to the flawed validation process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to files and directories outside of the designated download directory.\u003c/li\u003e\n\u003cli\u003eThe attacker reads sensitive data, including neuroimaging data, project files, or configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate sensitive data for malicious purposes, such as espionage or sale on the dark web.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this directory traversal vulnerability (CVE-2026-35446) in LORIS could lead to unauthorized access to sensitive neuroimaging research data. The number of affected organizations is unknown, but any organization using LORIS versions 24.0.0 to before 27.0.3 and 28.0.1 is potentially vulnerable. The impact includes data breaches, intellectual property theft, and potential compromise of patient privacy if patient data is stored within the LORIS system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LORIS to version 27.0.3 or 28.0.1 to remediate CVE-2026-35446, as indicated in the overview.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;Detect LORIS Directory Traversal Attempt\u0026rdquo; Sigma rule to monitor for suspicious file download requests.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for unusual file download patterns or attempts to access files outside the intended download directories using the file_event log source to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T19:25:24Z","date_published":"2026-04-08T19:25:24Z","id":"/briefs/2026-04-loris-traversal/","summary":"LORIS, a neuroimaging research data management web application, is vulnerable to directory traversal (CVE-2026-35446) due to an incorrect order of operations in the FilesDownloadHandler, allowing authenticated attackers to access unauthorized files.","title":"LORIS Directory Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-loris-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["directory-traversal","siyuan","cve-2026-33670"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe SiYuan note-taking application is susceptible to a critical directory traversal vulnerability affecting versions up to 0.0.0-20260317012524-fe4523fff2c8. The vulnerability resides in the \u003ccode\u003e/api/file/readDir\u003c/code\u003e endpoint, which lacks authentication. This allows unauthenticated attackers to send POST requests to enumerate directories and retrieve file names within the application\u0026rsquo;s data and configuration directories. Successful exploitation allows a malicious actor to gain sensitive information about the application\u0026rsquo;s file structure, and could be chained with a file-reading vulnerability to achieve arbitrary document access. This poses a significant risk to confidentiality and data security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable SiYuan instance.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated POST request to the \u003ccode\u003e/api/file/readDir\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a \u003ccode\u003epath\u003c/code\u003e parameter specifying the directory to list, such as \u003ccode\u003edata\u003c/code\u003e or \u003ccode\u003econf\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe SiYuan application processes the request without authentication and returns a JSON response containing a list of files and directories within the specified path.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON response to identify interesting files and directories.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 2-5 to traverse deeper into the directory structure.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the location of sensitive documents or configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a separate file reading vulnerability (not detailed in this brief) to access and exfiltrate the identified documents or configuration files, gaining unauthorized access to sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this directory traversal vulnerability allows an attacker to enumerate the entire directory structure of a SiYuan notebook. This may expose sensitive information stored within the application\u0026rsquo;s data and configuration files. When combined with a file reading vulnerability, attackers can access and exfiltrate arbitrary documents, potentially leading to data breaches and confidentiality compromise. The number of affected users is potentially large, given the popularity of the SiYuan note-taking application. Targeted sectors would include any organization or individual using SiYuan for storing sensitive information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply updates to SiYuan to versions greater than 0.0.0-20260317012524-fe4523fff2c8 that patch CVE-2026-33670.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/api/file/readDir\u003c/code\u003e endpoint, as detailed in the rule below, and investigate unexpected activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect exploitation attempts in web server logs, tuning it for your environment.\u003c/li\u003e\n\u003cli\u003eBlock access from IP address \u003ccode\u003e172.18.40.184\u003c/code\u003e observed in the exploit PoC, if seen connecting to your SiYuan instances.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-siyuan-traversal/","summary":"SiYuan note taking application is vulnerable to a directory traversal via the /api/file/readDir endpoint, which does not require authentication, allowing an attacker to enumerate the directory structure and retrieve file names, potentially leading to arbitrary document reading.","title":"SiYuan Note Taking Application Directory Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-siyuan-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Directory-Traversal","version":"https://jsonfeed.org/version/1.1"}