https://feed.craftedsignal.io/tags/directory-traversal/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 29 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-openclaw-directory-deletion/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-directory-deletion/OpenClaw before 2026.4.2 is vulnerable to arbitrary directory deletion in mirror mode, enabling attackers to delete remote directories by manipulating remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values.OpenClaw before version 2026.4.2 is susceptible to an arbitrary directory deletion vulnerability (CVE-2026-41383) when operating in mirror mode. An attacker with control over the OpenShell configuration paths, specifically remoteWorkspaceDir and remoteAgentWorkspaceDir, can trigger the deletion of unintended remote directory contents. This is achieved by manipulating these configuration values to point to sensitive directories. The subsequent mirror sync operation replaces the deleted contents with data from the attacker’s workspace, leading to data loss and potential system compromise. This vulnerability allows an attacker to potentially wipe out important data on the remote end.

Attack Chain

1. The attacker gains access to the OpenClaw configuration.
2. The attacker modifies the remoteWorkspaceDir and/or remoteAgentWorkspaceDir configuration values to point to a target directory they wish to delete.
3. The attacker initiates a mirror sync operation.
4. OpenClaw, using the attacker-controlled path, connects to the remote system.
5. OpenClaw deletes the contents of the directory specified by the modified remoteWorkspaceDir or remoteAgentWorkspaceDir.
6. OpenClaw uploads the contents of the attacker’s local workspace to the now-empty remote directory, effectively replacing the original data.
7. The targeted remote directory now contains the attacker’s data instead of the original contents.
8. The attacker achieves arbitrary directory deletion and data replacement, potentially causing significant disruption and data loss.

Impact

Successful exploitation of this vulnerability can lead to arbitrary deletion of files and directories on the remote system where OpenClaw is used in mirror mode. The impact includes potential data loss, service disruption, and the replacement of legitimate data with attacker-controlled content. Given the CVSS v3.1 score of 8.1, this vulnerability is considered high severity due to the potential for significant data integrity and availability impact.

Recommendation

• Upgrade OpenClaw to version 2026.4.2 or later to remediate CVE-2026-41383.
• Monitor OpenClaw configuration files for unauthorized modifications to remoteWorkspaceDir and remoteAgentWorkspaceDir using a file integrity monitoring system.
• Implement strict access controls to OpenClaw configuration files to prevent unauthorized modification of these settings.
• Deploy the Sigma rule to detect suspicious process execution related to modification of openclaw configuration files.

]]>highadvisorycve-2026-41383directory-traversalfile-deletionopenclawhttps://feed.craftedsignal.io/briefs/2026-04-compressing-symlink-bypass/Sat, 18 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-compressing-symlink-bypass/A vulnerability in the `compressing` npm package (<=v2.1.0) allows for arbitrary file overwrite via symlink path traversal, bypassing a previous patch for CVE-2026-24884.The compressing npm package (v2.1.0 and earlier) contains a critical vulnerability that permits arbitrary file overwrites due to a symlink path traversal bypass. This bypass affects the patch for CVE-2026-24884. The vulnerability arises from an incomplete validation in the isPathWithinParent utility, where path string checks are performed without verifying the filesystem state, specifically symbolic links. By cloning a malicious repository containing a pre-existing symbolic link, a victim unknowingly plants a “poisoned path” on their system. The attacker can then craft a malicious archive that, when extracted by the vulnerable library, follows the symlink and overwrites arbitrary files. The ease of exploitation via git clone makes this vulnerability particularly dangerous.

Attack Chain

1. Attacker creates a malicious Git repository containing a symbolic link (e.g., config_file) pointing to a sensitive target file or directory (e.g., /tmp/fake_root/etc/passwd).
2. Attacker generates a malicious payload (e.g., payload.tar) containing a file with the same name as the symbolic link (e.g., config_file) and uploads both to their Git repository.
3. Victim clones the attacker’s Git repository using git clone. This action automatically restores the symbolic link on the victim’s system.
4. Victim runs an application that utilizes the vulnerable compressing library to extract the payload.tar archive.
5. The compressing library’s isPathWithinParent function resolves the path to the file being extracted. Due to lack of lstat checks, the symbolic link is not detected.
6. The fs.writeFile function follows the symlink, writing the contents of the file from payload.tar to the targeted sensitive file (e.g., /tmp/fake_root/etc/passwd).
7. Arbitrary file overwrite occurs, potentially leading to privilege escalation or code execution.
8. Attacker achieves persistent access or control by overwriting critical system files.

Impact

Successful exploitation allows attackers to overwrite arbitrary files on the victim’s system, potentially leading to privilege escalation by modifying sensitive system files such as /etc/passwd. Remote Code Execution (RCE) can be achieved by overwriting executable binaries or startup scripts. Data corruption can also occur through the modification of application data or database files. This vulnerability impacts developers and organizations using the compressing library up to version v2.1.0 when extracting untrusted archives.

Recommendation

• Upgrade the compressing npm package to a patched version that includes proper symlink handling. This is the primary remediation.
• Inspect Git repositories for suspicious symbolic links before cloning. Use git ls-tree -r <commit-ish> | grep 120000 to search for symlinks in a repository.
• Implement runtime monitoring for file writes to unexpected locations based on the compressing library’s activity. Create a detection rule based on process_creation and file_event to detect writes to sensitive directories such as /etc by processes spawned by Node.js that also load the vulnerable compressing module.
• Monitor network connections originating from processes related to the compressing library after file extraction. Create a Sigma rule based on network_connection and process_creation to detect unusual outbound connections after archive extraction.

]]>criticaladvisorynpmsupply-chainsymlinkdirectory-traversalprivilege-escalationarbitrary-file-overwritehttps://feed.craftedsignal.io/briefs/2026-04-loris-traversal/Wed, 08 Apr 2026 19:25:24 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-loris-traversal/LORIS, a neuroimaging research data management web application, is vulnerable to directory traversal (CVE-2026-35446) due to an incorrect order of operations in the FilesDownloadHandler, allowing authenticated attackers to access unauthorized files.LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application designed for data and project management in neuroimaging research. Versions 24.0.0 up to, but not including, 27.0.3 and 28.0.1 contain a directory traversal vulnerability (CVE-2026-35446) in the FilesDownloadHandler. This flaw stems from an incorrect order of operations, potentially enabling an attacker to escape the intended download directories and access sensitive files. Successful exploitation requires authentication and could lead to unauthorized access to sensitive research data. Users are advised to upgrade to versions 27.0.3 or 28.0.1 to mitigate this vulnerability. This vulnerability impacts organizations utilizing LORIS for managing sensitive neuroimaging data, potentially exposing research data.

Attack Chain

1. An attacker authenticates to the LORIS web application with valid credentials.
2. The attacker crafts a malicious HTTP request to the FilesDownloadHandler.
3. The crafted request includes a manipulated file path designed to traverse directories outside the intended download directory.
4. The FilesDownloadHandler processes the request with an incorrect order of operations when validating the file path.
5. The application bypasses the intended directory restrictions due to the flawed validation process.
6. The attacker gains access to files and directories outside of the designated download directory.
7. The attacker reads sensitive data, including neuroimaging data, project files, or configuration files.
8. The attacker may exfiltrate sensitive data for malicious purposes, such as espionage or sale on the dark web.

Impact

Successful exploitation of this directory traversal vulnerability (CVE-2026-35446) in LORIS could lead to unauthorized access to sensitive neuroimaging research data. The number of affected organizations is unknown, but any organization using LORIS versions 24.0.0 to before 27.0.3 and 28.0.1 is potentially vulnerable. The impact includes data breaches, intellectual property theft, and potential compromise of patient privacy if patient data is stored within the LORIS system.

Recommendation

• Upgrade LORIS to version 27.0.3 or 28.0.1 to remediate CVE-2026-35446, as indicated in the overview.
• Implement the “Detect LORIS Directory Traversal Attempt” Sigma rule to monitor for suspicious file download requests.
• Review web server access logs for unusual file download patterns or attempts to access files outside the intended download directories using the file_event log source to detect potential exploitation attempts.

]]>mediumadvisorydirectory-traversalweb-applicationneuroimaginghttps://feed.craftedsignal.io/briefs/2026-03-siyuan-traversal/Thu, 26 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-siyuan-traversal/SiYuan note taking application is vulnerable to a directory traversal via the /api/file/readDir endpoint, which does not require authentication, allowing an attacker to enumerate the directory structure and retrieve file names, potentially leading to arbitrary document reading.The SiYuan note-taking application is susceptible to a critical directory traversal vulnerability affecting versions up to 0.0.0-20260317012524-fe4523fff2c8. The vulnerability resides in the /api/file/readDir endpoint, which lacks authentication. This allows unauthenticated attackers to send POST requests to enumerate directories and retrieve file names within the application’s data and configuration directories. Successful exploitation allows a malicious actor to gain sensitive information about the application’s file structure, and could be chained with a file-reading vulnerability to achieve arbitrary document access. This poses a significant risk to confidentiality and data security.

Attack Chain

1. An attacker identifies a vulnerable SiYuan instance.
2. The attacker sends an unauthenticated POST request to the /api/file/readDir endpoint.
3. The POST request includes a path parameter specifying the directory to list, such as data or conf.
4. The SiYuan application processes the request without authentication and returns a JSON response containing a list of files and directories within the specified path.
5. The attacker parses the JSON response to identify interesting files and directories.
6. The attacker repeats steps 2-5 to traverse deeper into the directory structure.
7. The attacker identifies the location of sensitive documents or configuration files.
8. The attacker leverages a separate file reading vulnerability (not detailed in this brief) to access and exfiltrate the identified documents or configuration files, gaining unauthorized access to sensitive information.

Impact

Successful exploitation of this directory traversal vulnerability allows an attacker to enumerate the entire directory structure of a SiYuan notebook. This may expose sensitive information stored within the application’s data and configuration files. When combined with a file reading vulnerability, attackers can access and exfiltrate arbitrary documents, potentially leading to data breaches and confidentiality compromise. The number of affected users is potentially large, given the popularity of the SiYuan note-taking application. Targeted sectors would include any organization or individual using SiYuan for storing sensitive information.

Recommendation

• Apply updates to SiYuan to versions greater than 0.0.0-20260317012524-fe4523fff2c8 that patch CVE-2026-33670.
• Monitor web server logs for POST requests to the /api/file/readDir endpoint, as detailed in the rule below, and investigate unexpected activity.
• Deploy the Sigma rule provided to detect exploitation attempts in web server logs, tuning it for your environment.
• Block access from IP address 172.18.40.184 observed in the exploit PoC, if seen connecting to your SiYuan instances.

]]>criticaladvisorydirectory-traversalsiyuancve-2026-33670