{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/path-traversal/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openmrs-web (\u003c= 2.7.8)","openmrs-web (\u003e= 2.8.0, \u003c= 2.8.5)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","zip-slip","rce","openmrs","web-application"],"_cs_type":"advisory","_cs_vendors":["OpenMRS"],"content_html":"\u003cp\u003eOpenMRS, an open-source enterprise electronic medical record system platform, is vulnerable to a path traversal (Zip Slip) vulnerability in its module upload functionality. Discovered in versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, the vulnerability resides in the \u003ccode\u003ePOST /openmrs/ws/rest/v1/module\u003c/code\u003e endpoint. An authenticated attacker with administrative privileges can exploit this flaw by uploading a specially crafted \u003ccode\u003e.omod\u003c/code\u003e archive containing malicious ZIP entries with directory traversal sequences. This can allow the attacker to write files outside of the intended module directory, potentially leading to arbitrary file write and remote code execution on the server. The vulnerability stems from incomplete path validation within the \u003ccode\u003eWebModuleUtil.startModule()\u003c/code\u003e function, an oversight compared to other extraction methods within the same codebase that are properly protected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the OpenMRS instance with valid admin credentials via Basic Auth.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003e.omod\u003c/code\u003e file containing a ZIP entry with a path traversal payload, such as \u003ccode\u003eweb/module/../../../../\u0026lt;target_filename\u0026gt;.jsp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/openmrs/ws/rest/v1/module\u003c/code\u003e endpoint, uploading the malicious \u003ccode\u003e.omod\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe server receives the request and parses the uploaded \u003ccode\u003e.omod\u003c/code\u003e file, treating it as a ZIP archive.\u003c/li\u003e\n\u003cli\u003eDuring module loading via \u003ccode\u003eWebModuleUtil.startModule()\u003c/code\u003e, the server extracts entries under the \u003ccode\u003eweb/module/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eDue to an incomplete check, the entry \u003ccode\u003eweb/module/../../../../\u0026lt;target_filename\u0026gt;.jsp\u003c/code\u003e passes the initial validation.\u003c/li\u003e\n\u003cli\u003eThe server attempts to write the extracted file to a path constructed by concatenating the traversed path, resulting in writing the file outside the intended \u003ccode\u003eWEB-INF/view/module/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eIf the written file is a JSP script, accessing it via a browser triggers server-side execution, achieving Remote Code Execution (RCE).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write arbitrary files within the web application root directory of the OpenMRS instance. This can lead to remote code execution, allowing the attacker to gain complete control of the affected server. Given OpenMRS\u0026rsquo;s use in healthcare environments, a successful attack could compromise sensitive patient data, disrupt medical operations, and damage the reputation of the affected organization. The number of potentially affected installations is unknown, but the vulnerability impacts a widely used version of the platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of OpenMRS that includes the fix for CVE-2026-40076 to address the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OpenMRS Malicious Module Upload\u003c/code\u003e to identify exploitation attempts based on HTTP requests to the \u003ccode\u003e/openmrs/ws/rest/v1/module\u003c/code\u003e endpoint with suspicious file extensions in the query parameters.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to capture HTTP request data and facilitate detection and investigation efforts.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events within the web application root directory for suspicious JSP files. Use the Sigma rule \u003ccode\u003eDetect JSP File Creation in Web Application Root\u003c/code\u003e as a starting point.\u003c/li\u003e\n\u003cli\u003eEnforce the \u003ccode\u003emodule.allow_web_admin\u003c/code\u003e restriction consistently across all module upload entry points, including the REST API to prevent bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T17:39:31Z","date_published":"2026-05-04T17:39:31Z","id":"/briefs/2024-01-openmrs-zip-slip/","summary":"OpenMRS versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, are vulnerable to a path traversal (Zip Slip) attack via the `POST /openmrs/ws/rest/v1/module` endpoint that allows authenticated attackers to achieve arbitrary file write and remote code execution.","title":"OpenMRS Module Upload Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openmrs-zip-slip/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7594"}],"_cs_exploited":false,"_cs_products":["mcp-game-asset-gen 0.1.0"],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["Flux159"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7594, has been discovered in Flux159 mcp-game-asset-gen version 0.1.0. The vulnerability resides within the \u003ccode\u003eimage_to_3d_async\u003c/code\u003e function located in the \u003ccode\u003esrc/index.ts\u003c/code\u003e file of the MCP Interface component. Successful exploitation allows a remote attacker to manipulate the \u003ccode\u003estatusFile\u003c/code\u003e argument, potentially leading to unauthorized file access and modification. Public exploits are available, increasing the risk of widespread exploitation. The project maintainers were notified via an issue report, but have not yet addressed the vulnerability. This lack of response, coupled with the existence of public exploits, elevates the urgency for defenders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of mcp-game-asset-gen 0.1.0 running on a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eimage_to_3d_async\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker manipulates the \u003ccode\u003estatusFile\u003c/code\u003e argument to include path traversal sequences (e.g., \u0026ldquo;../\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe server-side application processes the request, using the attacker-controlled \u003ccode\u003estatusFile\u003c/code\u003e value to construct a file path.\u003c/li\u003e\n\u003cli\u003eDue to insufficient input validation, the path traversal sequences are not properly sanitized.\u003c/li\u003e\n\u003cli\u003eThe application attempts to read or write to a file outside the intended directory, based on the manipulated path.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains unauthorized access to sensitive files or overwrites critical system files.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the file access to further compromise the system, potentially leading to code execution or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability could allow attackers to read sensitive files, overwrite critical system files, or even achieve remote code execution on the affected server. This could lead to data breaches, system instability, or complete server compromise. Given the availability of public exploits, organizations using mcp-game-asset-gen 0.1.0 are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003estatusFile\u003c/code\u003e argument within the \u003ccode\u003eimage_to_3d_async\u003c/code\u003e function to prevent path traversal, addressing CVE-2026-7594.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences (e.g., \u0026ldquo;../\u0026rdquo;) in the \u003ccode\u003estatusFile\u003c/code\u003e parameter using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule targeting process creation events related to the exploitation of CVE-2026-7594.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T21:16:17Z","date_published":"2026-05-01T21:16:17Z","id":"/briefs/2026-05-mcp-game-asset-gen-path-traversal/","summary":"A path traversal vulnerability exists in Flux159 mcp-game-asset-gen version 0.1.0, where manipulation of the `statusFile` argument in the `image_to_3d_async` function allows for remote exploitation.","title":"Flux159 mcp-game-asset-gen Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-mcp-game-asset-gen-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7519"}],"_cs_exploited":false,"_cs_products":["LiveBOS (\u003c= 2.0)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve-2026-7519"],"_cs_type":"advisory","_cs_vendors":["Fujian Apex"],"content_html":"\u003cp\u003eFujian Apex LiveBOS, a live broadcasting system, is vulnerable to a path traversal attack. This vulnerability, identified as CVE-2026-7519, exists due to insufficient input validation on the filename parameter within the /feed/UploadImage.do endpoint. Versions up to and including 2.0 are affected. Publicly available exploits exist, increasing the risk of exploitation. An attacker can leverage this flaw to access sensitive files on the server, potentially leading to information disclosure or further system compromise. Upgrading to version 2.1 or applying available patches is strongly recommended.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Fujian Apex LiveBOS instance running version 2.0 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the /feed/UploadImage.do endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the filename parameter within the request, injecting path traversal sequences (e.g., ../../).\u003c/li\u003e\n\u003cli\u003eThe server-side application fails to properly sanitize the filename, allowing the path traversal sequence to be processed.\u003c/li\u003e\n\u003cli\u003eThe application attempts to read a file based on the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eIf successful, the contents of the targeted file are returned to the attacker in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the leaked file content for sensitive information (e.g., credentials, configuration files).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to unauthorized access to sensitive files on the LiveBOS server. This could include configuration files containing database credentials, private keys, or other confidential information. The impact ranges from information disclosure to potential full system compromise, depending on the accessed data. There are no reported victims or sectors targeted as of yet, but the public availability of the exploit increases the likelihood of exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Fujian Apex LiveBOS to version 2.1 to remediate CVE-2026-7519.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect LiveBOS Path Traversal Attempt\u003c/code\u003e to identify malicious requests exploiting the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing path traversal sequences targeting the \u003ccode\u003e/feed/UploadImage.do\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T01:16:38Z","date_published":"2026-05-01T01:16:38Z","id":"/briefs/2026-05-livebos-path-traversal/","summary":"A path traversal vulnerability exists in Fujian Apex LiveBOS version 2.0 and earlier, allowing remote attackers to read arbitrary files by manipulating the filename argument in the /feed/UploadImage.do endpoint.","title":"Fujian Apex LiveBOS Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-livebos-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":5.5,"id":"CVE-2018-1002208"}],"_cs_exploited":false,"_cs_products":["ABB PCM600"],"_cs_severities":["medium"],"_cs_tags":["ics","path traversal","industrial control system"],"_cs_type":"advisory","_cs_vendors":["ABB"],"content_html":"\u003cp\u003eABB PCM600 versions 1.5 through 2.13 are vulnerable to a path traversal flaw (CVE-2018-1002208) within the SharpZip.dll library. Successful exploitation enables a local attacker with low privileges to execute arbitrary code on the affected system. This vulnerability resides in the software used to configure and manage protection and control IEDs (Intelligent Electronic Devices) in critical infrastructure sectors, specifically critical manufacturing. ABB recommends updating to PCM600 version 2.14 to remediate this vulnerability. The vulnerability was reported to CISA by ABB PSIRT.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains low-privilege access to the target system running a vulnerable ABB PCM600 version.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious message containing a path traversal payload designed to exploit CVE-2018-1002208.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted message to the system node, targeting the vulnerable SharpZip.dll.\u003c/li\u003e\n\u003cli\u003eThe SharpZip.dll processes the message without properly sanitizing the provided path.\u003c/li\u003e\n\u003cli\u003eThe path traversal vulnerability allows the attacker to write arbitrary files to locations outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the file write capability to place a malicious executable or library in a trusted location.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the malicious code, achieving arbitrary code execution on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as escalating privileges, installing malware, or disrupting industrial processes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-1002208 can lead to arbitrary code execution on systems running vulnerable ABB PCM600 versions within critical manufacturing environments. While no specific victim counts or sectors are detailed in the advisory, the vulnerability\u0026rsquo;s presence in industrial control systems poses a significant risk. A successful attack could disrupt manufacturing processes, cause equipment damage, or lead to data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to ABB Protection and control IED manager PCM600 version 2.14 to address CVE-2018-1002208 as per the vendor\u0026rsquo;s recommendation.\u003c/li\u003e\n\u003cli\u003eIf using RE_630 protection relays with older PCM600 versions, implement system-level defenses as described in ABB\u0026rsquo;s security advisory 2NGA002813.\u003c/li\u003e\n\u003cli\u003eMinimize network exposure for all control system devices and systems, ensuring they are not accessible from the internet, as recommended by CISA.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events for suspicious file paths that may indicate path traversal attempts exploiting CVE-2018-1002208, using a rule similar to the example provided.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T12:00:00Z","date_published":"2026-04-30T12:00:00Z","id":"/briefs/2026-04-abb-pcm600-path-traversal/","summary":"A path traversal vulnerability in ABB PCM600 versions 1.5 to 2.13 (CVE-2018-1002208) allows a local attacker with low privileges to execute arbitrary code by sending a specially crafted message to the system node.","title":"ABB PCM600 Path Traversal Vulnerability (CVE-2018-1002208)","url":"https://feed.craftedsignal.io/briefs/2026-04-abb-pcm600-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-34978"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path traversal","cups","cve-2026-34978","file write"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-34978 is a path traversal vulnerability affecting OpenPrinting CUPS, a modular printing system that allows a computer to act as a print server. The vulnerability exists within the RSS notify-recipient-uri functionality, which improperly validates file paths. By crafting a malicious URI, an attacker can write files outside the intended CacheDir/rss directory. This can lead to the overwriting of critical system files, such as job.cache, potentially disrupting print services and, in some scenarios, leading to arbitrary code execution. This vulnerability was disclosed by Microsoft and requires immediate attention from system administrators to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious RSS notify-recipient-uri containing a path traversal sequence (e.g., \u0026ldquo;../\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe crafted URI is submitted to the CUPS server through a print job request or a configuration setting.\u003c/li\u003e\n\u003cli\u003eCUPS processes the URI and attempts to write a file to the specified location.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal vulnerability, the file is written outside the intended CacheDir/rss directory.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites a critical file, such as job.cache, with malicious content.\u003c/li\u003e\n\u003cli\u003eThe CUPS server attempts to access the overwritten file.\u003c/li\u003e\n\u003cli\u003eIf job.cache is successfully overwritten, the attacker can gain control of the print queue or cause a denial of service by corrupting the print system\u0026rsquo;s state.\u003c/li\u003e\n\u003cli\u003eIn a more advanced scenario, the attacker could potentially achieve arbitrary code execution by overwriting other binaries or configuration files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34978 can lead to denial of service by corrupting the printing system state. By overwriting critical CUPS files, an attacker can disrupt printing services. In more critical scenarios, the vulnerability could be leveraged to achieve arbitrary code execution, potentially allowing the attacker to gain complete control over the affected system. The scope of the impact is dependent on the permissions of the CUPS process and the specific files that are overwritten.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch provided by OpenPrinting to address CVE-2026-34978.\u003c/li\u003e\n\u003cli\u003eMonitor CUPS server logs for suspicious activity related to file writes outside the CacheDir/rss directory. Consider deploying the provided Sigma rule \u003ccode\u003eDetect CUPS Path Traversal File Write\u003c/code\u003e to identify such attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on any user-supplied data that is used to construct file paths within CUPS.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit CUPS configuration settings to ensure that they are secure and do not allow for path traversal vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T08:46:41Z","date_published":"2026-04-30T08:46:41Z","id":"/briefs/2026-05-cups-path-traversal/","summary":"CVE-2026-34978 is a path traversal vulnerability in OpenPrinting CUPS that allows writing files outside the CacheDir/rss directory, potentially overwriting the job.cache file.","title":"OpenPrinting CUPS Path Traversal Vulnerability (CVE-2026-34978)","url":"https://feed.craftedsignal.io/briefs/2026-05-cups-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7404"}],"_cs_exploited":false,"_cs_products":["mcpo-simple-server"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve-2026-7404"],"_cs_type":"advisory","_cs_vendors":["getsimpletool"],"content_html":"\u003cp\u003eA relative path traversal vulnerability, identified as CVE-2026-7404, has been discovered in getsimpletool mcpo-simple-server up to version 0.2.0. The vulnerability resides within the \u003ccode\u003edelete_shared_prompt\u003c/code\u003e function of the \u003ccode\u003esrc/mcpo_simple_server/services/prompt_manager/base_manager.py\u003c/code\u003e file. By manipulating the \u003ccode\u003edetail\u003c/code\u003e argument, a remote attacker can traverse the file system and delete arbitrary files. The vulnerability is remotely exploitable, and proof-of-concept exploit code is publicly available. The maintainers of the getsimpletool project have been notified of this vulnerability but have not yet responded. This poses a significant risk to systems running mcpo-simple-server, as it could lead to unauthorized file deletion and potential system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable mcpo-simple-server instance running version 0.2.0 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003edelete_shared_prompt\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a manipulated \u003ccode\u003edetail\u003c/code\u003e argument containing relative path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server-side application processes the request and passes the manipulated \u003ccode\u003edetail\u003c/code\u003e argument to the \u003ccode\u003edelete_shared_prompt\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edelete_shared_prompt\u003c/code\u003e function uses the attacker-controlled \u003ccode\u003edetail\u003c/code\u003e argument to construct a file path.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal sequences, the resulting file path points to a location outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe application attempts to delete the file at the attacker-specified location.\u003c/li\u003e\n\u003cli\u003eIf permissions allow, the file is successfully deleted, leading to potential data loss or system instability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to delete arbitrary files on the affected system. This can lead to data loss, application malfunction, or even complete system compromise, depending on the files targeted for deletion. Given the public availability of exploit code, systems running vulnerable versions of mcpo-simple-server are at immediate risk. The impact is especially severe if the targeted files are critical system files or application data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade mcpo-simple-server to a patched version that addresses CVE-2026-7404, if available from the vendor.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Mcpo-Simple-Server Path Traversal Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization on the \u003ccode\u003edetail\u003c/code\u003e argument of the \u003ccode\u003edelete_shared_prompt\u003c/code\u003e function, if patching is not immediately feasible.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as requests containing path traversal sequences.\u003c/li\u003e\n\u003cli\u003eRestrict file system permissions to limit the impact of successful path traversal attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:16:22Z","date_published":"2026-04-29T21:16:22Z","id":"/briefs/2026-04-mcpo-simple-server-traversal/","summary":"A relative path traversal vulnerability exists in getsimpletool mcpo-simple-server \u003c= 0.2.0, allowing remote attackers to delete arbitrary files via manipulation of the `detail` argument in the `delete_shared_prompt` function.","title":"Relative Path Traversal Vulnerability in mcpo-simple-server","url":"https://feed.craftedsignal.io/briefs/2026-04-mcpo-simple-server-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7386"}],"_cs_exploited":false,"_cs_products":["mail-mcp-bridge"],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["fatbobman"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7386, has been discovered in fatbobman mail-mcp-bridge version 1.3.3 and prior. The vulnerability resides within the \u003ccode\u003esrc/mail_mcp_server.py\u003c/code\u003e file, specifically affecting an unspecified function that handles the \u003ccode\u003emessage_ids\u003c/code\u003e argument. A remote attacker can exploit this flaw by crafting malicious requests containing manipulated \u003ccode\u003emessage_ids\u003c/code\u003e values. Successful exploitation allows the attacker to traverse the file system and potentially read sensitive files. An exploit is publicly available. The vulnerability is addressed in version 1.3.4, with patch \u003ccode\u003e638b162b26532e32fa8d8047f638537dbdfe197a\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of mail-mcp-bridge running version 1.3.3 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the endpoint that processes \u003ccode\u003emessage_ids\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker includes a \u003ccode\u003emessage_ids\u003c/code\u003e parameter containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server-side application, without proper validation, processes the manipulated \u003ccode\u003emessage_ids\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe application attempts to access a file path constructed using the attacker-controlled input.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal sequences, the application accesses a file outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe application reads the contents of the traversed file.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the contents of the file, gaining access to sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read arbitrary files on the server. This could lead to the exposure of sensitive data such as configuration files, application source code, or user data. With a CVSS v3.1 base score of 7.3, this vulnerability poses a significant risk. The number of affected installations is unknown, but any instance of mail-mcp-bridge running a vulnerable version is susceptible to attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade fatbobman mail-mcp-bridge to version 1.3.4 or later to apply the patch \u003ccode\u003e638b162b26532e32fa8d8047f638537dbdfe197a\u003c/code\u003e that resolves CVE-2026-7386.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect mail-mcp-bridge Path Traversal Attempt\u0026rdquo; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the \u003ccode\u003emessage_ids\u003c/code\u003e parameter to prevent path traversal attacks in web applications, even after patching.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T16:16:29Z","date_published":"2026-04-29T16:16:29Z","id":"/briefs/2026-04-mail-mcp-bridge-path-traversal/","summary":"A path traversal vulnerability exists in fatbobman mail-mcp-bridge version 1.3.3 and earlier, allowing a remote attacker to read arbitrary files by manipulating the message_ids argument in the src/mail_mcp_server.py file.","title":"Path Traversal Vulnerability in mail-mcp-bridge","url":"https://feed.craftedsignal.io/briefs/2026-04-mail-mcp-bridge-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7315"}],"_cs_exploited":false,"_cs_products":["spire-pdf-mcp-server"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve"],"_cs_type":"advisory","_cs_vendors":["eiceblue"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7315, affects eiceblue spire-pdf-mcp-server version 0.1.1. The vulnerability resides in the \u003ccode\u003eget_pdf_path\u003c/code\u003e function within the \u003ccode\u003esrc/spire_pdf_mcp/server.py\u003c/code\u003e file. By manipulating the \u003ccode\u003efilepath\u003c/code\u003e argument, a remote attacker can bypass directory traversal restrictions and potentially access sensitive files on the server. Public exploits are available, increasing the risk of exploitation. The vendor has been notified but has not yet provided a patch or response. This vulnerability poses a significant risk to systems running the affected software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of eiceblue spire-pdf-mcp-server 0.1.1 exposed to the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eget_pdf_path\u003c/code\u003e function, embedding a path traversal sequence (e.g., \u003ccode\u003e../\u003c/code\u003e) within the \u003ccode\u003efilepath\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe server receives the request and processes the \u003ccode\u003efilepath\u003c/code\u003e argument without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget_pdf_path\u003c/code\u003e function constructs a file path using the attacker-controlled input, allowing the traversal of directories outside the intended PDF file storage location.\u003c/li\u003e\n\u003cli\u003eThe server attempts to access a file outside the intended directory, based on the manipulated path.\u003c/li\u003e\n\u003cli\u003eIf successful, the server reads the contents of the arbitrary file.\u003c/li\u003e\n\u003cli\u003eThe server returns the contents of the file to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information, potentially including configuration files, credentials, or other confidential data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7315 allows a remote attacker to read arbitrary files on the server. This can lead to the disclosure of sensitive information, such as configuration files, credentials, or internal application code. The impact could include complete compromise of the affected system and potential lateral movement within the network. Given the availability of public exploits, the risk of widespread exploitation is elevated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Spire-PDF Path Traversal Attempt\u003c/code\u003e to identify malicious requests containing path traversal sequences.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests targeting the \u003ccode\u003eget_pdf_path\u003c/code\u003e function with suspicious \u003ccode\u003efilepath\u003c/code\u003e parameters (e.g., containing \u0026ldquo;../\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization measures for the \u003ccode\u003efilepath\u003c/code\u003e argument in the \u003ccode\u003eget_pdf_path\u003c/code\u003e function to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates from the vendor as soon as they are released to address CVE-2026-7315.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-spire-pdf-path-traversal/","summary":"A path traversal vulnerability exists in eiceblue spire-pdf-mcp-server version 0.1.1, allowing remote attackers to access arbitrary files via manipulation of the filepath argument in the get_pdf_path function.","title":"Eiceblue Spire-PDF-MCP-Server Path Traversal Vulnerability (CVE-2026-7315)","url":"https://feed.craftedsignal.io/briefs/2026-04-spire-pdf-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7314"}],"_cs_exploited":false,"_cs_products":["spire-doc-mcp-server 1.0.0"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve-2026-7314"],"_cs_type":"advisory","_cs_vendors":["eiceblue"],"content_html":"\u003cp\u003eA critical path traversal vulnerability has been identified in eiceblue spire-doc-mcp-server version 1.0.0. The vulnerability resides within the \u003ccode\u003eget_doc_path\u003c/code\u003e function of the \u003ccode\u003esrc/spire_doc_mcp/api/base.py\u003c/code\u003e file. By manipulating the \u003ccode\u003edocument_name\u003c/code\u003e argument, an attacker can bypass intended directory restrictions and access files outside the designated document path. This attack can be initiated remotely without authentication, posing a significant risk. Public exploits are available, increasing the likelihood of exploitation. The vendor was notified through an issue report, but has not yet responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the spire-doc-mcp-server.\u003c/li\u003e\n\u003cli\u003eThe request targets an endpoint that utilizes the vulnerable \u003ccode\u003eget_doc_path\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the \u003ccode\u003edocument_name\u003c/code\u003e parameter within the request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edocument_name\u003c/code\u003e parameter contains a path traversal sequence (e.g., \u0026ldquo;../\u0026rdquo;) designed to escape the intended directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget_doc_path\u003c/code\u003e function fails to properly sanitize or validate the \u003ccode\u003edocument_name\u003c/code\u003e input.\u003c/li\u003e\n\u003cli\u003eThe application constructs a file path based on the malicious input.\u003c/li\u003e\n\u003cli\u003eThe application attempts to read the file at the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully retrieves the contents of an arbitrary file on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability allows an attacker to read sensitive files on the server. This could include configuration files containing credentials, source code, or other confidential data. The CVSS v3.1 score of 7.3 reflects the high severity of this issue. The lack of vendor response and availability of public exploits significantly increases the risk to organizations using vulnerable versions of spire-doc-mcp-server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Spire-doc-mcp-server Path Traversal Attempt\u003c/code\u003e to your SIEM to detect exploitation attempts by monitoring web server logs for path traversal sequences.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003edocument_name\u003c/code\u003e argument in the \u003ccode\u003eget_doc_path\u003c/code\u003e function within \u003ccode\u003esrc/spire_doc_mcp/api/base.py\u003c/code\u003e to prevent path traversal.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests containing path traversal sequences (e.g., \u0026ldquo;..%2F\u0026rdquo;, \u0026ldquo;../\u0026rdquo;) targeting endpoints related to document retrieval.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-spire-doc-mcp-server-path-traversal/","summary":"A path traversal vulnerability exists in eiceblue spire-doc-mcp-server version 1.0.0, allowing a remote attacker to access arbitrary files by manipulating the 'document_name' argument in the 'get_doc_path' function.","title":"eiceblue spire-doc-mcp-server Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-spire-doc-mcp-server-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7319"}],"_cs_exploited":true,"_cs_products":["execution-system-mcp 0.1.0"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve-2026-7319"],"_cs_type":"threat","_cs_vendors":["elinsky"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7319, affects elinsky execution-system-mcp version 0.1.0. The vulnerability resides in the \u003ccode\u003e_get_context_file_path\u003c/code\u003e function located within the \u003ccode\u003esrc/execution_system_mcp/server.py\u003c/code\u003e file, which is part of the \u003ccode\u003eadd_action\u003c/code\u003e Tool component. By manipulating the \u003ccode\u003econtext\u003c/code\u003e argument, a remote attacker can bypass directory restrictions and access unauthorized files. The existence of a published exploit increases the risk of this vulnerability being actively exploited. Defenders should prioritize patching and implementing mitigations to prevent potential data breaches or system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of elinsky execution-system-mcp 0.1.0 running remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eadd_action\u003c/code\u003e tool.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker injects a path traversal sequence (e.g., \u003ccode\u003e../\u003c/code\u003e) into the \u003ccode\u003econtext\u003c/code\u003e argument of the \u003ccode\u003e_get_context_file_path\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_get_context_file_path\u003c/code\u003e function processes the tainted input without proper sanitization, allowing the path traversal sequence to resolve to a file outside of the intended directory.\u003c/li\u003e\n\u003cli\u003eThe server attempts to read the file specified by the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eSensitive information from the targeted file is read by the server.\u003c/li\u003e\n\u003cli\u003eThe server returns the content of the file, or an error message indicating the file content, to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains sensitive information, potentially leading to further exploitation, such as privilege escalation or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read arbitrary files on the server. This could lead to the disclosure of sensitive information, such as configuration files, source code, or user data. The CVSS v3.1 score of 7.3 indicates a high severity, highlighting the potential for significant impact. The lack of specifics regarding victim count and sectors targeted in the source information makes it difficult to quantify the precise scale of potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for elinsky execution-system-mcp to address CVE-2026-7319.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent path traversal attacks within the \u003ccode\u003e_get_context_file_path\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect exploitation attempts by monitoring for suspicious path traversal sequences in HTTP requests to the \u003ccode\u003eadd_action\u003c/code\u003e tool.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing path traversal sequences such as \u0026ldquo;../\u0026rdquo; and ensure proper logging of access attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T10:00:00Z","date_published":"2026-04-29T10:00:00Z","id":"/briefs/2026-04-elinsky-path-traversal/","summary":"Elinsky execution-system-mcp 0.1.0 is vulnerable to path traversal via manipulation of the context argument in the _get_context_file_path function, allowing remote attackers to access sensitive files.","title":"Elinsky execution-system-mcp Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-elinsky-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7159"}],"_cs_exploited":false,"_cs_products":["mkdocs-mcp-plugin (\u003c= 0.4.1)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","mkdocs","CVE-2026-7159"],"_cs_type":"advisory","_cs_vendors":["douinc"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7159, has been discovered in douinc\u0026rsquo;s mkdocs-mcp-plugin, affecting versions up to 0.4.1. The flaw resides within the \u003ccode\u003eread_document\u003c/code\u003e and \u003ccode\u003elist_documents\u003c/code\u003e functions of the \u003ccode\u003eserver.py\u003c/code\u003e file. By manipulating the \u003ccode\u003edocs_dir\u003c/code\u003e or \u003ccode\u003efile_path\u003c/code\u003e arguments, a remote attacker can bypass intended access restrictions and potentially read sensitive files on the server. A public exploit is available, increasing the risk of exploitation. The vendor has acknowledged the vulnerability and plans to release a fix in the coming days. This vulnerability poses a significant risk to systems using the affected plugin, potentially exposing sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a server running a vulnerable version (\u0026lt;= 0.4.1) of the \u003ccode\u003emkdocs-mcp-plugin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the \u003ccode\u003eread_document\u003c/code\u003e or \u003ccode\u003elist_documents\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated \u003ccode\u003edocs_dir\u003c/code\u003e or \u003ccode\u003efile_path\u003c/code\u003e parameter designed to traverse the file system. This commonly involves using sequences like \u003ccode\u003e../\u003c/code\u003e to move up directories.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eserver.py\u003c/code\u003e script fails to properly sanitize or validate the provided path.\u003c/li\u003e\n\u003cli\u003eThe application attempts to read a file outside the intended document root, based on the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eIf successful, the contents of the targeted file are returned in the HTTP response to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker can repeat this process to enumerate and access various sensitive files.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information, potentially including configuration files, source code, or user data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability (CVE-2026-7159) can lead to unauthorized access to sensitive files on the server. This could include configuration files, application source code, or user data. The impact ranges from information disclosure to potential compromise of the entire system, depending on the nature of the exposed data. Given the public availability of an exploit, affected systems are at increased risk of attack. The vendor is planning to release a fix soon.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch for mkdocs-mcp-plugin as soon as it is released by the vendor to remediate CVE-2026-7159.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Mkdocs Path Traversal Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious URL patterns containing path traversal sequences like \u003ccode\u003e../\u003c/code\u003e targeting file access endpoints, as detailed in the Attack Chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T12:00:00Z","date_published":"2026-04-28T12:00:00Z","id":"/briefs/2026-04-mkdocs-path-traversal/","summary":"A path traversal vulnerability exists in douinc mkdocs-mcp-plugin up to version 0.4.1, allowing remote attackers to access unauthorized files through manipulation of the docs_dir/file_path argument in the read_document/list_documents functions within server.py.","title":"mkdocs-mcp-plugin Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-mkdocs-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7237"}],"_cs_exploited":false,"_cs_products":["scaffold-mcp"],"_cs_severities":["high"],"_cs_tags":["path-traversal","cve","web-application"],"_cs_type":"advisory","_cs_vendors":["AgiFlow"],"content_html":"\u003cp\u003eAgiFlow scaffold-mcp, a software component with unknown functionality, is vulnerable to a path traversal attack. This vulnerability, identified as CVE-2026-7237, affects versions up to 1.0.27. The vulnerability resides in the \u003ccode\u003epackages/scaffold-mcp/src/server/index.ts\u003c/code\u003e file, specifically within the \u0026ldquo;write-to-file\u0026rdquo; tool. An attacker can remotely exploit this flaw by manipulating the \u003ccode\u003efile_path\u003c/code\u003e argument, enabling them to write to arbitrary locations on the server. A patch has been released in version 1.1.0 with commit hash \u003ccode\u003ec4d23592ae5fb59cfeefc4641e6826f8ac89b9c6\u003c/code\u003e to address this vulnerability. The exploit is publicly available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an AgiFlow scaffold-mcp instance running a vulnerable version (\u0026lt;= 1.0.27).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u0026ldquo;write-to-file\u0026rdquo; tool.\u003c/li\u003e\n\u003cli\u003eThe request includes a manipulated \u003ccode\u003efile_path\u003c/code\u003e argument containing path traversal sequences (e.g., \u0026ldquo;../\u0026rdquo;, \u0026ldquo;..\\\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe server-side application processes the request without proper sanitization or validation of the \u003ccode\u003efile_path\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe application attempts to write data to the attacker-controlled file path.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal sequences, the data is written to an arbitrary location on the server\u0026rsquo;s file system.\u003c/li\u003e\n\u003cli\u003eThe attacker may overwrite critical system files, inject malicious code, or exfiltrate sensitive data, depending on the write permissions and targeted file location.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to arbitrary code execution, data compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7237 allows attackers to write arbitrary files to the affected system, potentially leading to code execution, data exfiltration, or denial of service. The number of affected installations is currently unknown. Due to the public availability of the exploit, organizations using AgiFlow scaffold-mcp are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade AgiFlow scaffold-mcp to version 1.1.0 or later to remediate CVE-2026-7237, applying the patch identified by commit hash \u003ccode\u003ec4d23592ae5fb59cfeefc4641e6826f8ac89b9c6\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003efile_path\u003c/code\u003e argument within the \u0026ldquo;write-to-file\u0026rdquo; tool to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AgiFlow Scaffold-mcp Path Traversal Attempt\u0026rdquo; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences in the URI.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T08:16:02Z","date_published":"2026-04-28T08:16:02Z","id":"/briefs/2024-01-agiflow-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-7237) exists in AgiFlow scaffold-mcp versions up to 1.0.27, allowing remote attackers to write to arbitrary files by manipulating the file_path argument in the write-to-file tool.","title":"AgiFlow scaffold-mcp Path Traversal Vulnerability (CVE-2026-7237)","url":"https://feed.craftedsignal.io/briefs/2024-01-agiflow-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7234"}],"_cs_exploited":false,"_cs_products":["browser-operator-core (\u003c= 0.6.0)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve-2026-7234"],"_cs_type":"advisory","_cs_vendors":["BrowserOperator"],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in BrowserOperator browser-operator-core versions up to 0.6.0. The vulnerability, designated as CVE-2026-7234, resides in the \u003ccode\u003estartsWith\u003c/code\u003e function within the \u003ccode\u003escripts/component_server/server.js\u003c/code\u003e file. By manipulating the \u003ccode\u003erequest.url\u003c/code\u003e argument, an attacker can bypass path restrictions and potentially access sensitive files on the server. The vulnerability can be exploited remotely, and a proof-of-concept exploit is publicly available. The BrowserOperator project has been notified, but a patch has not yet been released. Successful exploitation could lead to information disclosure and unauthorized access to system resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable BrowserOperator browser-operator-core instance running a version prior to 0.6.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003ecomponent_server/server.js\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated \u003ccode\u003erequest.url\u003c/code\u003e argument designed to bypass the \u003ccode\u003estartsWith\u003c/code\u003e function\u0026rsquo;s intended path restrictions.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003estartsWith\u003c/code\u003e function fails to properly sanitize or validate the \u003ccode\u003erequest.url\u003c/code\u003e input.\u003c/li\u003e\n\u003cli\u003eThe application uses the attacker-controlled \u003ccode\u003erequest.url\u003c/code\u003e to construct a file path.\u003c/li\u003e\n\u003cli\u003eThe application attempts to read a file based on the constructed path, traversing directories outside of the intended scope.\u003c/li\u003e\n\u003cli\u003eIf successful, the contents of the targeted file are returned to the attacker in the HTTP response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to read arbitrary files on the server hosting the BrowserOperator browser-operator-core application. This could lead to the disclosure of sensitive information, including configuration files, credentials, or source code. The lack of response from the project maintainers increases the risk of widespread exploitation, especially given the availability of a public exploit.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect webserver logs for HTTP requests containing path traversal patterns in the URL targeting the \u003ccode\u003ecomponent_server/server.js\u003c/code\u003e endpoint to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect BrowserOperator Path Traversal Attempt\u003c/code\u003e to identify suspicious requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual file access patterns originating from the BrowserOperator application.\u003c/li\u003e\n\u003cli\u003eConsider using a web application firewall (WAF) to filter out malicious requests targeting the vulnerable endpoint, mitigating the risk of CVE-2026-7234.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T07:16:04Z","date_published":"2026-04-28T07:16:04Z","id":"/briefs/2026-04-browseroperator-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-7234) exists in BrowserOperator browser-operator-core up to version 0.6.0, allowing remote attackers to read arbitrary files by manipulating the request.url argument in the startsWith function of scripts/component_server/server.js.","title":"BrowserOperator Core Path Traversal Vulnerability (CVE-2026-7234)","url":"https://feed.craftedsignal.io/briefs/2026-04-browseroperator-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7214"}],"_cs_exploited":false,"_cs_products":["engineer-your-data (\u003c= 0.1.3)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability"],"_cs_type":"advisory","_cs_vendors":["eghuzefa"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7214, has been discovered in eghuzefa\u0026rsquo;s engineer-your-data, specifically affecting versions up to 0.1.3. This flaw resides within the \u003ccode\u003eread_file\u003c/code\u003e, \u003ccode\u003ewrite_file\u003c/code\u003e, \u003ccode\u003elist_files\u003c/code\u003e, and \u003ccode\u003efile_inf\u003c/code\u003e functions of the \u003ccode\u003esrc/server.py\u003c/code\u003e file. Successful exploitation allows a remote attacker to bypass directory restrictions and access or modify files outside the intended \u003ccode\u003eWORKSPACE_PATH\u003c/code\u003e. The vulnerability\u0026rsquo;s ease of exploitation is increased by the public availability of exploit code. Although the project was notified through an issue report, no response or patch has been released to date. This poses a significant risk to systems running vulnerable versions of engineer-your-data, potentially leading to sensitive data exposure or unauthorized modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of \u003ccode\u003eengineer-your-data\u003c/code\u003e running version 0.1.3 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003eread_file\u003c/code\u003e, \u003ccode\u003ewrite_file\u003c/code\u003e, \u003ccode\u003elist_files\u003c/code\u003e, or \u003ccode\u003efile_inf\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a manipulated \u003ccode\u003eWORKSPACE_PATH\u003c/code\u003e argument containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esrc/server.py\u003c/code\u003e script processes the request without proper sanitization or validation of the \u003ccode\u003eWORKSPACE_PATH\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application attempts to access a file system resource based on the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal, the application accesses a file or directory outside the intended \u003ccode\u003eWORKSPACE_PATH\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003eread_file\u003c/code\u003e function is targeted, the attacker retrieves the contents of an arbitrary file.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003ewrite_file\u003c/code\u003e function is targeted, the attacker can overwrite an arbitrary file.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote, unauthenticated attacker to read sensitive files on the server, potentially exposing credentials, configuration files, or other confidential data. Alternatively, an attacker could overwrite system files, leading to denial of service or arbitrary code execution. Given the public availability of exploit code, vulnerable systems are at high risk of compromise. The impact is amplified by the lack of a patch or response from the project maintainers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences (e.g., \u0026ldquo;../\u0026rdquo;) in the \u003ccode\u003eWORKSPACE_PATH\u003c/code\u003e parameter, as described in the attack chain. Deploy the Sigma rule \u003ccode\u003eDetect Engineer-Your-Data Path Traversal Attempt\u003c/code\u003e to identify malicious requests.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eWORKSPACE_PATH\u003c/code\u003e argument in \u003ccode\u003esrc/server.py\u003c/code\u003e to prevent path traversal, addressing CVE-2026-7214.\u003c/li\u003e\n\u003cli\u003eConsider using a web application firewall (WAF) to block requests containing path traversal sequences.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T02:16:08Z","date_published":"2026-04-28T02:16:08Z","id":"/briefs/2026-04-engineer-your-data-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-7214) exists in eghuzefa's engineer-your-data up to version 0.1.3, allowing remote attackers to read or write arbitrary files by manipulating the WORKSPACE_PATH argument.","title":"Path Traversal Vulnerability in engineer-your-data","url":"https://feed.craftedsignal.io/briefs/2026-04-engineer-your-data-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7212"}],"_cs_exploited":false,"_cs_products":["notes-mcp (\u003c= 0.1.4)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","CVE-2026-7212"],"_cs_type":"advisory","_cs_vendors":["edvardlindelof"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7212, affects edvardlindelof notes-mcp version 0.1.4 and earlier. This flaw resides within the \u003ccode\u003enotes_mcp.py\u003c/code\u003e file, where manipulation of the \u003ccode\u003eroot_dir/path\u003c/code\u003e argument allows unauthorized access to files and directories outside the intended scope. The vulnerability can be exploited remotely and a proof-of-concept exploit is publicly available, increasing the risk of widespread exploitation. The vendor was notified through an issue report but has not yet responded, making timely patching unlikely. Successful exploitation could lead to sensitive data exposure, potentially compromising the entire application and server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an instance of \u003ccode\u003enotes-mcp\u003c/code\u003e running version 0.1.4 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the vulnerable endpoint in \u003ccode\u003enotes_mcp.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated \u003ccode\u003eroot_dir/path\u003c/code\u003e argument containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to navigate outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize or validate the \u003ccode\u003eroot_dir/path\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe application uses the attacker-controlled path to access files or directories on the server\u0026rsquo;s file system.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive data, such as configuration files, application source code, or user data, by reading arbitrary files on the server.\u003c/li\u003e\n\u003cli\u003eIf write access is possible, the attacker may overwrite critical system files.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exposed information to further compromise the system or gain unauthorized access to other resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability can lead to unauthorized access to sensitive files and directories on the affected server. This could result in the disclosure of confidential data, such as user credentials, application source code, or internal configuration details. The vulnerability has a CVSS v3.1 score of 7.3 (HIGH), indicating a significant risk. The number of potential victims is unknown, but any system running the vulnerable version of \u003ccode\u003enotes-mcp\u003c/code\u003e is at risk. The project\u0026rsquo;s lack of response to the vulnerability report suggests that a patch may not be immediately available, increasing the window of opportunity for attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server access logs for suspicious requests containing path traversal sequences like \u003ccode\u003e../\u003c/code\u003e in the URI targeting \u003ccode\u003enotes_mcp.py\u003c/code\u003e to identify potential exploitation attempts (see Sigma rule \u003ccode\u003eDetect notes-mcp Path Traversal Attempt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual file access patterns originating from the affected server after potential exploitation.\u003c/li\u003e\n\u003cli\u003eSince a public exploit is available, prioritize patching or mitigating this vulnerability if you are using the affected software, paying close attention to changes in request patterns and ensuring awareness of CVE-2026-7212.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T02:16:08Z","date_published":"2026-04-28T02:16:08Z","id":"/briefs/2026-04-notes-mcp-path-traversal/","summary":"A path traversal vulnerability exists in edvardlindelof notes-mcp up to version 0.1.4, affecting the notes_mcp.py file, allowing a remote attacker to access sensitive files by manipulating the `root_dir/path` argument.","title":"edvardlindelof notes-mcp Path Traversal Vulnerability (CVE-2026-7212)","url":"https://feed.craftedsignal.io/briefs/2026-04-notes-mcp-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7205"}],"_cs_exploited":false,"_cs_products":["papers-mcp-server"],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["duartium"],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in duartium papers-mcp-server, specifically version 9ceb3812a6458ba7922ca24a7406f8807bc55598. The vulnerability resides within the \u003ccode\u003esearch_papers\u003c/code\u003e function located in the \u003ccode\u003esrc/main.py\u003c/code\u003e file. By manipulating the \u003ccode\u003etopic\u003c/code\u003e argument, a remote attacker can exploit this flaw to traverse the file system and potentially read sensitive files. This vulnerability, identified as CVE-2026-7205, is remotely exploitable and has a publicly available exploit, increasing the risk of widespread exploitation. The project maintainers were notified, but there has been no response or patch released, making immediate defensive measures critical for organizations using this software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of duartium papers-mcp-server version 9ceb3812a6458ba7922ca24a7406f8807bc55598.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003esearch_papers\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker injects a path traversal payload into the \u003ccode\u003etopic\u003c/code\u003e argument, such as \u0026ldquo;../../etc/passwd\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe server-side application, without proper sanitization, processes the malicious \u003ccode\u003etopic\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe application attempts to read the file specified by the attacker\u0026rsquo;s path traversal payload (e.g., /etc/passwd).\u003c/li\u003e\n\u003cli\u003eThe server responds with the contents of the requested file, effectively leaking sensitive information to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the leaked file for sensitive data, such as usernames, passwords, or configuration details.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained information to further compromise the system or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability allows attackers to read arbitrary files on the affected server. This could lead to the disclosure of sensitive configuration files, user credentials, or source code, potentially leading to further compromise, lateral movement within the network, and data breaches. The lack of a patch and the availability of a public exploit increases the likelihood of widespread exploitation and potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to detect exploitation attempts against the \u003ccode\u003esearch_papers\u003c/code\u003e endpoint, focusing on path traversal payloads in the \u003ccode\u003etopic\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003etopic\u003c/code\u003e parameter within the \u003ccode\u003esearch_papers\u003c/code\u003e function to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences like \u0026ldquo;../\u0026rdquo; and \u0026ldquo;./\u0026rdquo; in the URI query to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply rate limiting to the \u003ccode\u003esearch_papers\u003c/code\u003e endpoint to mitigate potential brute-force path traversal attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T01:17:16Z","date_published":"2026-04-28T01:17:16Z","id":"/briefs/2026-04-duartium-path-traversal/","summary":"A path traversal vulnerability exists in the `search_papers` function of `src/main.py` in duartium papers-mcp-server version 9ceb3812a6458ba7922ca24a7406f8807bc55598, allowing remote attackers to read arbitrary files by manipulating the `topic` argument, with a public exploit available.","title":"Duartium papers-mcp-server Path Traversal Vulnerability (CVE-2026-7205)","url":"https://feed.craftedsignal.io/briefs/2026-04-duartium-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7036"}],"_cs_exploited":false,"_cs_products":["i9"],"_cs_severities":["high"],"_cs_tags":["cve-2026-7036","path-traversal","tenda","network"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7036, exists in Tenda i9 version 1.0.0.5(2204). Specifically, the vulnerability resides in the R7WebsSecurityHandlerfunction of the HTTP Handler component. This flaw allows a remote, unauthenticated attacker to potentially access sensitive files and directories on the affected device. The vulnerability was reported on 2026-04-26, and a public exploit is reportedly available, increasing the risk of exploitation. This poses a significant threat to organizations using the affected Tenda i9 router, as it could lead to unauthorized access to sensitive information or system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Tenda i9 router running firmware version 1.0.0.5(2204) accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the vulnerable R7WebsSecurityHandlerfunction.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a path traversal sequence (e.g., \u0026ldquo;../\u0026rdquo;) within the URL or request parameters.\u003c/li\u003e\n\u003cli\u003eThe Tenda i9 router processes the malicious request without proper sanitization of the path.\u003c/li\u003e\n\u003cli\u003eThe R7WebsSecurityHandlerfunction incorrectly interprets the path traversal sequence, allowing access to files or directories outside the intended web root.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive files, such as configuration files or system logs.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the exposed information to further compromise the device or the network it is connected to.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially modify system files or execute commands, leading to full device compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7036 can lead to unauthorized access to sensitive files on the Tenda i9 router. This includes configuration files containing credentials, system logs, or other confidential data. An attacker could leverage this access to gain further control of the device, potentially leading to a complete system compromise. While the number of affected devices is currently unknown, given the widespread use of Tenda routers, the potential impact could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect HTTP requests containing path traversal sequences targeting web servers to detect exploitation attempts (Sigma rule: \u0026ldquo;Detect Tenda i9 Path Traversal Attempt\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eSince the source mentions a public exploit exists, prioritize patching or replacing vulnerable Tenda i9 routers to remediate CVE-2026-7036 immediately, if a patch becomes available.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual file access patterns or requests containing suspicious path traversal sequences.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests containing path traversal sequences.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T12:16:22Z","date_published":"2026-04-26T12:16:22Z","id":"/briefs/2026-04-tenda-path-traversal/","summary":"CVE-2026-7036 is a path traversal vulnerability affecting the R7WebsSecurityHandlerfunction in the HTTP Handler component of Tenda i9 version 1.0.0.5(2204), allowing remote attackers to access sensitive files.","title":"Tenda i9 Path Traversal Vulnerability (CVE-2026-7036)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-6940"}],"_cs_exploited":false,"_cs_products":["radare2"],"_cs_severities":["high"],"_cs_tags":["path-traversal","radare2","local-privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["radare"],"content_html":"\u003cp\u003eRadare2, a reverse engineering framework, is susceptible to a path traversal vulnerability (CVE-2026-6940) affecting versions prior to 6.1.4. This flaw allows a local attacker to delete arbitrary directories outside of the intended project storage location. By crafting project marker files with absolute paths that escape the configured \u003ccode\u003edir.projects\u003c/code\u003e root directory, an attacker can trick the radare2 process into recursively deleting directories they should not have access to. This vulnerability poses a significant risk to system integrity and availability, as attackers can potentially delete critical system files or data. This vulnerability was published on 2026-04-23 and could be exploited immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local access to a system with radare2 installed.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the location where radare2 stores project files (configured by \u003ccode\u003edir.projects\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious radare2 project file containing an absolute path pointing outside the designated project directory. This path includes traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to escape the \u003ccode\u003edir.projects\u003c/code\u003e root.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious project marker file in a location where radare2 will discover it (e.g. a default projects directory).\u003c/li\u003e\n\u003cli\u003eAttacker uses radare2\u0026rsquo;s project deletion functionality, specifying the malicious project for deletion.\u003c/li\u003e\n\u003cli\u003eRadare2, without proper validation of the project file path, recursively deletes the directory specified in the crafted path.\u003c/li\u003e\n\u003cli\u003eThis deletion occurs with the permissions of the radare2 process, potentially allowing the attacker to delete files and directories they would normally not have access to.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary directory deletion, leading to loss of system integrity and availability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to recursively delete arbitrary directories on the affected system. This can lead to significant data loss, system instability, and denial of service. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high level of severity. While no specific victim numbers or sector targeting have been disclosed, the potential impact on any system running a vulnerable version of radare2 is substantial.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade radare2 to version 6.1.4 or later to patch CVE-2026-6940.\u003c/li\u003e\n\u003cli\u003eImplement the process creation rule below to detect suspicious radare2 executions that could indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider limiting local user access to systems running radare2 to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T21:16:06Z","date_published":"2026-04-23T21:16:06Z","id":"/briefs/2026-04-radare2-path-traversal/","summary":"Radare2 versions prior to 6.1.4 are vulnerable to a path traversal in project deletion, allowing local attackers to recursively delete arbitrary directories by escaping the 'dir.projects' root, leading to integrity and availability loss.","title":"Radare2 Path Traversal Vulnerability in Project Deletion","url":"https://feed.craftedsignal.io/briefs/2026-04-radare2-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.3,"id":"CVE-2026-30869"}],"_cs_exploited":false,"_cs_products":["siyuan"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","siYuan"],"_cs_type":"advisory","_cs_vendors":["siyuan"],"content_html":"\u003cp\u003eSiYuan is vulnerable to a path traversal vulnerability (CVE-2026-30869) due to a redundant \u003ccode\u003eurl.PathUnescape()\u003c/code\u003e call within the \u003ccode\u003eserveExport()\u003c/code\u003e function. The vulnerability exists in versions prior to 3.6.5. This flaw allows an authenticated attacker, including low-privilege users with Publish/Reader roles, to bypass intended security restrictions and access sensitive files stored within the SiYuan workspace. The initial fix attempted with \u003ccode\u003eIsSensitivePath()\u003c/code\u003e proved insufficient as it did not address the core issue of double URL decoding. An attacker can exploit this vulnerability by using double URL encoded characters in a crafted HTTP request, allowing them to read arbitrary files such as the complete SQLite document database (\u003ccode\u003esiyuan.db\u003c/code\u003e), kernel logs, and other critical files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker sends a GET request to the \u003ccode\u003e/export/\u003c/code\u003e endpoint with a double URL encoded path, such as \u003ccode\u003e/export/%252e%252e/siyuan.db\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Go HTTP server decodes the initial layer of URL encoding, transforming \u003ccode\u003e%25\u003c/code\u003e into \u003ccode\u003e%\u003c/code\u003e, resulting in a path like \u003ccode\u003e/export/%2e%2e/siyuan.db\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe path cleaner does not recognize \u003ccode\u003e%2e%2e\u003c/code\u003e as directory traversal, so it passes through.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eserveExport()\u003c/code\u003e function then calls \u003ccode\u003eurl.PathUnescape()\u003c/code\u003e on the path, decoding \u003ccode\u003e%2e%2e\u003c/code\u003e into \u003ccode\u003e..\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efilepath.Join()\u003c/code\u003e function concatenates the \u003ccode\u003eexportBaseDir\u003c/code\u003e with the now decoded path, e.g., \u003ccode\u003e\u0026lt;workspace\u0026gt;/../siyuan.db\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eIsSensitivePath()\u003c/code\u003e check fails to block the request because it doesn\u0026rsquo;t account for the decoded path or specific database files in the \u003ccode\u003etemp/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully retrieves the contents of the \u003ccode\u003esiyuan.db\u003c/code\u003e file, which contains the complete document database.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats the process to access other sensitive files within the workspace, such as \u003ccode\u003esiyuan.log\u003c/code\u003e, \u003ccode\u003eblocktree.db\u003c/code\u003e, and \u003ccode\u003easset_content.db\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to exfiltrate sensitive data, including the entire SQLite document database, potentially containing all user documents, attributes, and search indexes. The attacker can also access the kernel log, which may contain internal server paths, versions, configuration details, and error messages. This information disclosure could lead to further compromise of the system. While the number of victims is unknown, any SiYuan instance running a version prior to 3.6.5 is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SiYuan to version 3.6.5 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect SiYuan Path Traversal Attempt\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring for double URL encoded characters in requests to the \u003ccode\u003e/export/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/export/\u003c/code\u003e endpoint containing \u003ccode\u003e%252e%252e\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider implementing a more robust path validation mechanism within the \u003ccode\u003eserveExport()\u003c/code\u003e function that properly handles URL decoding and directory traversal attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T20:55:31Z","date_published":"2026-04-22T20:55:31Z","id":"/briefs/2026-04-siyuan-path-traversal/","summary":"SiYuan is vulnerable to path traversal via double URL encoding in the `/export/` endpoint, bypassing an incomplete fix for CVE-2026-30869; an authenticated attacker can exploit this vulnerability to traverse directories and read arbitrary workspace files, including the SQLite database (`siyuan.db`), kernel log, and user documents due to a redundant `url.PathUnescape()` call in `serveExport()`.","title":"SiYuan Path Traversal via Double URL Encoding in `/export/` Endpoint","url":"https://feed.craftedsignal.io/briefs/2026-04-siyuan-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-6855"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","instructlab","cve-2026-6855"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6855 describes a path traversal vulnerability found in InstructLab, a tool or platform that allows for interactive instruction or learning sessions. A local attacker can exploit this vulnerability by manipulating the \u003ccode\u003elogs_dir\u003c/code\u003e parameter within the chat session handler. This manipulation allows the attacker to bypass intended directory restrictions and gain the ability to create new directories and write files to arbitrary locations on the affected system. The vulnerability was…\u003c/p\u003e\n","date_modified":"2026-04-22T13:16:22Z","date_published":"2026-04-22T13:16:22Z","id":"/briefs/2026-04-instructlab-path-traversal/","summary":"A local attacker can exploit a path traversal vulnerability in InstructLab by manipulating the `logs_dir` parameter, leading to arbitrary file creation and modification.","title":"InstructLab Path Traversal Vulnerability (CVE-2026-6855)","url":"https://feed.craftedsignal.io/briefs/2026-04-instructlab-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41058"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path traversal","cve-2026-41058","avideo","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWWBN AVideo is an open-source video platform. Versions 29.0 and below are vulnerable to a path traversal vulnerability (CVE-2026-41058) due to an incomplete fix for the \u003ccode\u003edeleteDump\u003c/code\u003e parameter in the CloneSite functionality. This vulnerability allows unauthenticated attackers to delete arbitrary files on the server by injecting \u003ccode\u003e../../\u003c/code\u003e sequences into the GET request. The vulnerability was reported on April 21, 2026, and a fix is available in commit 3c729717c26f160014a5c86b0b6accdbd613e7b2. Successful exploitation allows attackers to potentially disrupt service, delete sensitive data, or escalate privileges depending on the file permissions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an AVideo instance running version 29.0 or below.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the CloneSite functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a path traversal sequence (e.g., \u003ccode\u003e../../\u003c/code\u003e) into the \u003ccode\u003edeleteDump\u003c/code\u003e parameter of the GET request.\u003c/li\u003e\n\u003cli\u003eThe AVideo application fails to properly sanitize the \u003ccode\u003edeleteDump\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function is called with the attacker-controlled path, allowing deletion of arbitrary files.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the vulnerability to delete critical system files or configuration files.\u003c/li\u003e\n\u003cli\u003eThe application or server becomes unstable or inoperable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41058 allows unauthenticated attackers to delete arbitrary files on the AVideo server. This can lead to denial of service, data loss, or potential privilege escalation if critical system files are deleted. The vulnerability affects all AVideo instances running version 29.0 or below, potentially impacting a large number of users and organizations relying on the platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade AVideo instances to a version containing the fix from commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 to address CVE-2026-41058.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AVideo Path Traversal Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests containing path traversal sequences in the \u003ccode\u003edeleteDump\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the CloneSite functionality and the \u003ccode\u003edeleteDump\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-avideo-path-traversal/","summary":"WWBN AVideo versions 29.0 and below contain a path traversal vulnerability (CVE-2026-41058) in the CloneSite functionality, allowing unauthenticated attackers to delete arbitrary files via manipulation of the `deleteDump` parameter.","title":"WWBN AVideo Unauthenticated Path Traversal Vulnerability (CVE-2026-41058)","url":"https://feed.craftedsignal.io/briefs/2026-04-avideo-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-6832"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6832","path-traversal","file-deletion","webui"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eHermes WebUI, a web-based user interface, contains an arbitrary file deletion vulnerability, tracked as CVE-2026-6832. The vulnerability resides in the \u003ccode\u003e/api/session/delete\u003c/code\u003e endpoint. An authenticated attacker can exploit this flaw by supplying a crafted \u003ccode\u003esession_id\u003c/code\u003e parameter containing an absolute path or path traversal sequences. This allows the attacker to bypass the intended \u003ccode\u003eSESSION_DIR\u003c/code\u003e boundary and delete arbitrary files on the server, provided the attacker has write access to those files. Versions prior to the patched version are affected. Successful exploitation leads to information integrity issues and potential denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to Hermes WebUI using valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/session/delete\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003esession_id\u003c/code\u003e parameter with a path traversal payload (e.g., \u003ccode\u003e../../../../etc/passwd\u003c/code\u003e) or an absolute path to a target file.\u003c/li\u003e\n\u003cli\u003eThe Hermes WebUI application fails to properly validate the \u003ccode\u003esession_id\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application constructs a file path using the unvalidated \u003ccode\u003esession_id\u003c/code\u003e, allowing it to escape the intended \u003ccode\u003eSESSION_DIR\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application attempts to delete the file specified by the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eIf the attacker has sufficient privileges, the target file is successfully deleted from the file system.\u003c/li\u003e\n\u003cli\u003eThe deletion of critical system or application files leads to a denial-of-service condition or other system instability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6832 allows authenticated attackers to delete arbitrary files on the system running Hermes WebUI. This can lead to data loss, application malfunction, or even complete system compromise if critical system files are deleted. The vulnerability affects all deployments of Hermes WebUI prior to the patched version, potentially impacting numerous organizations using the vulnerable software. While the exact number of victims is unknown, the severity of the vulnerability is high due to the potential for significant damage and disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Hermes WebUI to version v0.50.132 or later, where the vulnerability is patched, as referenced in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on the \u003ccode\u003esession_id\u003c/code\u003e parameter in the \u003ccode\u003e/api/session/delete\u003c/code\u003e endpoint to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect malicious requests to the \u003ccode\u003e/api/session/delete\u003c/code\u003e endpoint containing path traversal sequences.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests to \u003ccode\u003e/api/session/delete\u003c/code\u003e with suspicious \u003ccode\u003esession_id\u003c/code\u003e values.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-hermes-file-deletion/","summary":"Hermes WebUI is vulnerable to arbitrary file deletion via path traversal in the /api/session/delete endpoint due to insufficient validation of the session_id parameter, allowing authenticated attackers to delete writable JSON files on the host system.","title":"Hermes WebUI Arbitrary File Deletion Vulnerability (CVE-2026-6832)","url":"https://feed.craftedsignal.io/briefs/2026-04-hermes-file-deletion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-40050"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","vulnerability","logscale","crowdstrike"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCrowdStrike has disclosed CVE-2026-40050, a critical unauthenticated path traversal vulnerability affecting specific versions of LogScale. This vulnerability allows unauthenticated remote attackers to read arbitrary files from the server\u0026rsquo;s filesystem. The vulnerability resides in a specific cluster API endpoint. CrowdStrike mitigated the vulnerability for LogScale SaaS customers on April 7, 2026, by deploying network-layer blocks. CrowdStrike self-hosted LogScale customers are urged to upgrade to a patched version immediately to remediate the vulnerability. The vulnerability was identified through CrowdStrike\u0026rsquo;s internal product testing. Next-Gen SIEM customers are not affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable LogScale instance with the exposed cluster API endpoint.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request containing a path traversal payload targeting the vulnerable API endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request bypasses authentication checks due to the vulnerability.\u003c/li\u003e\n\u003cli\u003eLogScale server processes the request and attempts to access the file specified in the path traversal payload.\u003c/li\u003e\n\u003cli\u003eDue to the missing input validation, the server accesses files outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe server reads the contents of the targeted file from the filesystem.\u003c/li\u003e\n\u003cli\u003eThe file content is included in the HTTP response sent back to the attacker.\u003c/li\u003e\n\u003cli\u003eAttacker obtains sensitive information from the server\u0026rsquo;s filesystem, such as configuration files, credentials, or internal data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40050 allows an unauthenticated remote attacker to read arbitrary files on the LogScale server. This could lead to the exposure of sensitive data, including configuration files, credentials, and internal application data. The vulnerability affects self-hosted LogScale customers who have not applied the necessary security updates. The impact could be severe, potentially leading to data breaches or unauthorized access to the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade self-hosted LogScale instances to the latest patched version to remediate CVE-2026-40050 immediately.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal patterns targeting LogScale\u0026rsquo;s API endpoints to detect potential exploitation attempts (see rule: \u0026ldquo;Detect LogScale Path Traversal Attempts\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy network-layer blocks to restrict access to the vulnerable API endpoint if immediate patching is not feasible.\u003c/li\u003e\n\u003cli\u003eReview access controls and network segmentation to limit the impact of potential future vulnerabilities.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to capture cs-uri-query, cs-uri-stem, and cs-method to improve visibility and incident response.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-crowdstrike-logscale-path-traversal/","summary":"A critical unauthenticated path traversal vulnerability (CVE-2026-40050) in CrowdStrike LogScale allows remote attackers to read arbitrary files from the server filesystem if a specific cluster API endpoint is exposed, necessitating immediate patching for self-hosted customers.","title":"CrowdStrike LogScale Unauthenticated Path Traversal Vulnerability (CVE-2026-40050)","url":"https://feed.craftedsignal.io/briefs/2026-04-crowdstrike-logscale-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2024-27198"},{"cvss":7.3,"id":"CVE-2024-27199"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["teamcity","vulnerability","authentication bypass","path traversal","supply-chain"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eJetBrains TeamCity, a CI/CD software platform, is vulnerable to CVE-2024-27198, an authentication bypass, and CVE-2024-27199, a path traversal vulnerability. These flaws affect TeamCity versions prior to 2023.11.4. Initially, there was no observed active exploitation. However, by March 7, 2024, widespread exploitation was detected following the public availability of proof-of-concept code. Attackers are actively exploiting these vulnerabilities to create new user accounts on publicly exposed, unpatched TeamCity instances. A substantial number of compromised servers are utilized as production machines for software building and deployment. These attacks have the potential to lead to supply-chain compromises by exposing sensitive information. CISA added CVE-2024-27199 to its Known Exploited Vulnerabilities catalog on April 20, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to a vulnerable TeamCity server, exploiting CVE-2024-27198 to bypass authentication.\u003c/li\u003e\n\u003cli\u003eOnce authenticated (or bypassing authentication), the attacker leverages CVE-2024-27199, a path traversal vulnerability, to access sensitive files and directories on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker reads configuration files containing credentials for other systems and services.\u003c/li\u003e\n\u003cli\u003eThe attacker creates new administrative user accounts on the TeamCity server to ensure persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies build configurations to inject malicious code into software builds.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises the software supply chain by injecting malicious code into build artifacts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses stolen credentials to access deployment environments and deploy compromised builds.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to perform administrative actions on affected TeamCity servers, leading to a compromise of confidentiality, integrity, and availability of data and infrastructure. The compromise of TeamCity servers used for software building and deployment can result in supply-chain attacks, as these servers often contain sensitive information, such as credentials for deployment environments. A substantial portion of compromised TeamCity servers are utilized as production machines for software building and deployment processes, increasing the scope and impact of potential supply chain attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all JetBrains TeamCity servers to version 2023.11.4 or later to remediate CVE-2024-27198 and CVE-2024-27199 (Reference: \u003ca href=\"https://www.jetbrains.com/privacy-security/issues-fixed/)\"\u003ehttps://www.jetbrains.com/privacy-security/issues-fixed/)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect TeamCity Authentication Bypass Attempt\u0026rdquo; to your SIEM to detect exploitation attempts of CVE-2024-27198.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and increase monitoring to detect suspicious activity related to path traversal attempts indicative of CVE-2024-27199 exploitation.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of new user accounts within TeamCity, especially administrative accounts, which could indicate successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T10:00:00Z","date_published":"2026-04-22T10:00:00Z","id":"/briefs/2026-04-jetbrains-teamcity-vulns/","summary":"Unpatched JetBrains TeamCity servers are being actively exploited via an authentication bypass (CVE-2024-27198) and path traversal vulnerability (CVE-2024-27199), allowing attackers to perform administrative actions and potentially conduct supply-chain attacks.","title":"JetBrains TeamCity Authentication Bypass and Path Traversal Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-04-jetbrains-teamcity-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-39973"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["apktool","path-traversal","android","cve-2026-39973"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eApktool, a tool used for reverse engineering Android APK files, is vulnerable to a path traversal issue in versions 3.0.0 and 3.0.1 (CVE-2026-39973). This vulnerability resides within the \u003ccode\u003ebrut/androlib/res/decoder/ResFileDecoder.java\u003c/code\u003e component. A maliciously crafted APK can exploit this flaw during standard decoding (\u003ccode\u003eapktool d\u003c/code\u003e) to write arbitrary files to the filesystem. The vulnerability is a security regression introduced by commit e10a045 (PR #4041, December 12, 2025), which inadvertently removed the \u003ccode\u003eBrutIO.sanitizePath()\u003c/code\u003e call, a crucial safeguard against path traversal attacks. By embedding \u003ccode\u003e../\u003c/code\u003e sequences in the \u003ccode\u003eresources.arsc\u003c/code\u003e Type String Pool, attackers can bypass directory restrictions and write files to sensitive locations, such as \u003ccode\u003e~/.ssh/config\u003c/code\u003e, \u003ccode\u003e~/.bashrc\u003c/code\u003e, or Windows Startup folders, ultimately enabling remote code execution. Apktool version 3.0.2 addresses this vulnerability by reintroducing the \u003ccode\u003eBrutIO.sanitizePath()\u003c/code\u003e function in \u003ccode\u003eResFileDecoder.java\u003c/code\u003e, effectively mitigating the path traversal risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Android APK file.\u003c/li\u003e\n\u003cli\u003eThe attacker embeds \u003ccode\u003e../\u003c/code\u003e sequences within the \u003ccode\u003eresources.arsc\u003c/code\u003e Type String Pool of the APK.\u003c/li\u003e\n\u003cli\u003eA user attempts to decode the malicious APK file using a vulnerable version of Apktool (3.0.0 or 3.0.1) via the command \u003ccode\u003eapktool d malicious.apk\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring the decoding process, the \u003ccode\u003eResFileDecoder.java\u003c/code\u003e component processes the \u003ccode\u003eresources.arsc\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eDue to the missing \u003ccode\u003eBrutIO.sanitizePath()\u003c/code\u003e call, the \u003ccode\u003e../\u003c/code\u003e sequences are not sanitized, allowing path traversal.\u003c/li\u003e\n\u003cli\u003eApktool attempts to write a resource file to a location outside the intended output directory.\u003c/li\u003e\n\u003cli\u003eThe resource file is written to an arbitrary location on the filesystem, potentially overwriting critical system files (e.g., \u003ccode\u003e~/.bashrc\u003c/code\u003e, \u003ccode\u003e~/.ssh/config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIf a file like \u003ccode\u003e~/.bashrc\u003c/code\u003e is overwritten, subsequent shell sessions execute malicious code, achieving remote code execution. If a Windows Startup folder is targeted, the code executes on the next reboot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to write arbitrary files to the filesystem of the machine running Apktool. This can lead to various malicious outcomes, including remote code execution, privilege escalation, and data exfiltration. The impact is particularly severe if Apktool is run with elevated privileges or if sensitive files are overwritten. While specific victim numbers are not available, developers and security researchers who rely on Apktool for APK analysis are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Apktool version 3.0.2 or later to remediate CVE-2026-39973.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on sensitive files like \u003ccode\u003e~/.bashrc\u003c/code\u003e and \u003ccode\u003e~/.ssh/config\u003c/code\u003e to detect unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring to detect the execution of \u003ccode\u003eapktool d\u003c/code\u003e with suspicious arguments, particularly targeting unexpected output directories.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Apktool Path Traversal Attempt\u0026rdquo; to identify potential exploitation attempts based on command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T02:16:07Z","date_published":"2026-04-21T02:16:07Z","id":"/briefs/2026-04-apktool-path-traversal/","summary":"A path traversal vulnerability in Apktool versions 3.0.0 and 3.0.1 allows a malicious APK file to write arbitrary files to the filesystem during decoding, potentially leading to remote code execution.","title":"Apktool Path Traversal Vulnerability (CVE-2026-39973)","url":"https://feed.craftedsignal.io/briefs/2026-04-apktool-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-5966"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["vulnerability","file-deletion","path-traversal"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5966 describes an arbitrary file deletion vulnerability in TeamT5\u0026rsquo;s ThreatSonar Anti-Ransomware. The vulnerability allows authenticated remote attackers with web access to exploit a path traversal flaw. This means that an attacker who already has valid credentials to access the web interface of ThreatSonar Anti-Ransomware can craft malicious requests to delete files that the application user has access to, regardless of their intended purpose or location. The CVSS v3.1 score is 8.1, indicating a high severity. The vulnerable software is ThreatSonar Anti-Ransomware from TeamT5.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials to the ThreatSonar Anti-Ransomware web interface, likely through credential stuffing or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ThreatSonar Anti-Ransomware web application.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an endpoint within the web application that handles file operations (e.g., backup, restore, quarantine).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to this endpoint containing a path traversal payload in a filename or filepath parameter (e.g., \u003ccode\u003e../../../../windows/system32/drivers/etc/hosts\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web application processes the request without proper sanitization or validation of the file path.\u003c/li\u003e\n\u003cli\u003eThe application attempts to delete the file specified by the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eIf the application user has sufficient privileges, the arbitrary file is deleted from the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows authenticated attackers to delete arbitrary files on the system where ThreatSonar Anti-Ransomware is installed. This could lead to denial of service by deleting critical system files, data loss by deleting important data files, or potentially escalate privileges by deleting files used in privilege escalation techniques.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to the latest version of ThreatSonar Anti-Ransomware as provided by TeamT5 to address CVE-2026-5966.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all file path parameters within the ThreatSonar Anti-Ransomware web application to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..\\\\\u003c/code\u003e) in file-related parameters to detect potential exploitation attempts. Deploy the Sigma rule for webserver logs.\u003c/li\u003e\n\u003cli\u003eImplement principle of least privilege and regularly audit user permissions in ThreatSonar Anti-Ransomware.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T08:16:11Z","date_published":"2026-04-20T08:16:11Z","id":"/briefs/2026-04-threatsonar-file-deletion/","summary":"TeamT5's ThreatSonar Anti-Ransomware is vulnerable to arbitrary file deletion via path traversal, allowing authenticated remote attackers with web access to delete arbitrary files on the system.","title":"ThreatSonar Anti-Ransomware Arbitrary File Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-threatsonar-file-deletion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6568"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","kodexplorer","cve-2026-6568"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-6568, affects kodcloud KodExplorer up to version 4.52. The vulnerability resides within the \u003ccode\u003eshare.class.php::initShareOld\u003c/code\u003e function in the \u003ccode\u003e/app/controller/share.class.php\u003c/code\u003e file, a part of the Public Share Handler component. An attacker can exploit this flaw by manipulating the \u003ccode\u003epath\u003c/code\u003e argument, leading to unauthorized access to files and directories outside of the intended share path. Public exploit code is available, increasing the risk of active exploitation. The vendor was notified, but has not responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a KodExplorer instance running version 4.52 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/app/controller/share.class.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a manipulated \u003ccode\u003epath\u003c/code\u003e argument designed to traverse directories outside the intended share path (e.g., \u003ccode\u003e../../../../etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eshare.class.php::initShareOld\u003c/code\u003e function processes the request without proper sanitization of the \u003ccode\u003epath\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe application attempts to access the file specified by the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eIf successful, the application reads and potentially displays the contents of the targeted file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e) to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the retrieved information to gather sensitive data, such as usernames, system configurations, or database credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised information to further compromise the system or gain access to other sensitive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6568 can allow an unauthenticated remote attacker to read arbitrary files on the KodExplorer server. This may lead to the disclosure of sensitive information such as configuration files, user credentials, or source code. The vulnerability poses a significant risk to organizations using affected versions of KodExplorer. The number of potential victims is unknown, but it is likely to affect any organization using the vulnerable software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation to the \u003ccode\u003epath\u003c/code\u003e parameter within the \u003ccode\u003eshare.class.php::initShareOld\u003c/code\u003e function to prevent path traversal (reference CVE-2026-6568).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect KodExplorer Path Traversal Attempt\u0026rdquo; to identify malicious requests targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences (e.g., \u0026ldquo;../\u0026rdquo;, \u0026ldquo;..\u0026quot;, \u0026ldquo;%2e%2e/\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eBlock access to the malicious URLs listed in the IOC table at the network perimeter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-19T10:16:09Z","date_published":"2026-04-19T10:16:09Z","id":"/briefs/2026-04-kodexplorer-path-traversal/","summary":"KodExplorer up to version 4.52 is vulnerable to a path traversal attack via manipulation of the path argument in the share.class.php::initShareOld function, potentially allowing remote attackers to access sensitive files.","title":"KodExplorer Path Traversal Vulnerability (CVE-2026-6568)","url":"https://feed.craftedsignal.io/briefs/2026-04-kodexplorer-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-40342"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["firebird","path-traversal","code-execution","cve-2026-40342","database"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFirebird, an open-source relational database management system, is vulnerable to a path traversal flaw (CVE-2026-40342) in versions prior to 5.0.4, 4.0.7, and 3.0.14. This vulnerability resides within the external engine plugin loader. The loader concatenates a user-supplied engine name into a filesystem path without proper sanitization, leaving it open to path traversal attacks. An authenticated user with \u003ccode\u003eCREATE FUNCTION\u003c/code\u003e privileges can craft a malicious \u003ccode\u003eENGINE\u003c/code\u003e name containing path separators and \u003ccode\u003e..\u003c/code\u003e components. This allows them to load an arbitrary shared library from anywhere on the filesystem. The library\u0026rsquo;s initialization code executes immediately upon loading, before Firebird can validate the module, effectively granting code execution under the security context of the server\u0026rsquo;s operating system account. Upgrading to versions 5.0.4, 4.0.7, or 3.0.14 resolves this issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Firebird database server with an account possessing \u003ccode\u003eCREATE FUNCTION\u003c/code\u003e privileges.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious \u003ccode\u003eENGINE\u003c/code\u003e name that includes path traversal sequences (e.g., \u003ccode\u003e../../../../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the crafted \u003ccode\u003eENGINE\u003c/code\u003e name in a \u003ccode\u003eCREATE FUNCTION\u003c/code\u003e statement, specifying a path to an arbitrary shared library on the filesystem. For example, \u003ccode\u003eCREATE FUNCTION evil_func RETURNS INTEGER ENGINE '/path/to/evil/../../../../tmp/evil.so'\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Firebird server\u0026rsquo;s plugin loader concatenates the provided \u003ccode\u003eENGINE\u003c/code\u003e name into a filesystem path without proper validation.\u003c/li\u003e\n\u003cli\u003eThe Firebird server attempts to load the shared library from the attacker-controlled path, effectively bypassing intended access controls.\u003c/li\u003e\n\u003cli\u003eThe operating system loads the shared library into the Firebird server\u0026rsquo;s process.\u003c/li\u003e\n\u003cli\u003eThe shared library\u0026rsquo;s initialization code executes immediately, granting the attacker arbitrary code execution within the context of the Firebird server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the Firebird server\u0026rsquo;s OS account, potentially leading to data exfiltration, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the Firebird server with the privileges of the operating system account running the Firebird service. This can lead to full system compromise, including data exfiltration, modification, or destruction. Given the high CVSS score of 9.9, this vulnerability poses a critical risk to organizations using vulnerable Firebird versions. The impact could range from complete database compromise to lateral movement within the network, depending on the privileges of the Firebird service account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Firebird servers to versions 5.0.4, 4.0.7, or 3.0.14 to patch CVE-2026-40342.\u003c/li\u003e\n\u003cli\u003eMonitor Firebird server logs for \u003ccode\u003eCREATE FUNCTION\u003c/code\u003e statements with suspicious \u003ccode\u003eENGINE\u003c/code\u003e names containing path traversal sequences, and deploy the Sigma rule \u003ccode\u003eDetect Firebird Create Function Path Traversal\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit \u003ccode\u003eCREATE FUNCTION\u003c/code\u003e privileges to only authorized users, and enable audit logging on all Firebird database servers to monitor user activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T20:16:35Z","date_published":"2026-04-17T20:16:35Z","id":"/briefs/2026-04-firebird-path-traversal/","summary":"An authenticated user with CREATE FUNCTION privileges can exploit a path traversal vulnerability in Firebird versions prior to 5.0.4, 4.0.7, and 3.0.14, to load an arbitrary shared library leading to code execution as the server's OS account.","title":"Firebird Path Traversal Vulnerability Leads to Code Execution (CVE-2026-40342)","url":"https://feed.craftedsignal.io/briefs/2026-04-firebird-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-40518"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","file-write","bytedance","deerflow"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eByteDance DeerFlow, a software of unknown purpose, prior to commit 2176b2b, is vulnerable to path traversal and arbitrary file write. The vulnerability lies within the bootstrap-mode custom-agent creation process, specifically due to insufficient validation of the agent name. This flaw allows attackers to bypass intended directory restrictions and write files to arbitrary locations on the system, provided they have the necessary filesystem permissions. The vulnerability was reported on April 17, 2026 and has been assigned CVE-2026-40518. Exploitation of this vulnerability could lead to privilege escalation and system compromise. Defenders should prioritize patching or mitigating this vulnerability to prevent unauthorized file modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains low-privileged access to the DeerFlow application.\u003c/li\u003e\n\u003cli\u003eAttacker initiates the creation of a custom agent in bootstrap mode.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious agent name containing path traversal sequences (e.g., \u0026ldquo;../\u0026rdquo;, absolute paths).\u003c/li\u003e\n\u003cli\u003eThe DeerFlow application fails to properly validate the agent name.\u003c/li\u003e\n\u003cli\u003eThe application uses the attacker-supplied agent name to create directories.\u003c/li\u003e\n\u003cli\u003eThe path traversal in the agent name allows the application to create directories outside the intended custom-agent directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads files as part of the custom agent creation.\u003c/li\u003e\n\u003cli\u003eThe application writes these files to the attacker-controlled location, resulting in arbitrary file write.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to write arbitrary files to the file system, potentially overwriting system files or planting malicious executables. This could lead to privilege escalation, arbitrary code execution, and complete system compromise. While the number of affected installations is unknown, any system running a vulnerable version of ByteDance DeerFlow is susceptible to this attack. The severity is compounded by the ease of exploitation, requiring only low-privileged access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of ByteDance DeerFlow that includes commit 2176b2b to remediate the vulnerability referenced by CVE-2026-40518.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious DeerFlow Agent Creation\u003c/code\u003e to detect exploitation attempts targeting CVE-2026-40518 by monitoring process creation events.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to custom agent creation endpoints in DeerFlow to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T17:17:09Z","date_published":"2026-04-17T17:17:09Z","id":"/briefs/2026-04-deerflow-path-traversal/","summary":"ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed, allowing attackers to write files outside the intended custom-agent directory.","title":"ByteDance DeerFlow Path Traversal and Arbitrary File Write Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-deerflow-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-41082"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","package-manager","ocaml"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOCaml opam, a package manager for OCaml, is susceptible to a path traversal vulnerability (CVE-2026-41082) in versions prior to 2.5.1. The vulnerability stems from insufficient validation of filepaths specified within the \u0026ldquo;.install\u0026rdquo; files used to define package installation procedures. Specifically, the \u0026ldquo;.install\u0026rdquo; field, which dictates the destination of installed files, permits the inclusion of \u0026ldquo;../\u0026rdquo; sequences. This oversight can be exploited by malicious package maintainers or compromised repositories to overwrite files outside the intended installation directory. This allows attackers to manipulate critical system files, potentially escalating privileges and compromising the entire system. The impact is significant for developers and systems relying on opam for package management, as it introduces a risk of arbitrary file modification and subsequent system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious OCaml package containing a specially crafted \u0026ldquo;.install\u0026rdquo; file.\u003c/li\u003e\n\u003cli\u003eThe malicious \u0026ldquo;.install\u0026rdquo; file contains a destination filepath that utilizes \u0026ldquo;../\u0026rdquo; sequences to traverse to parent directories.\u003c/li\u003e\n\u003cli\u003eA user unknowingly installs the malicious package using \u003ccode\u003eopam install \u0026lt;package\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eOpam parses the \u0026ldquo;.install\u0026rdquo; file and executes the file installation instructions.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal vulnerability, opam writes files to unintended locations outside of the intended package directory.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites critical system files, such as configuration files or binaries.\u003c/li\u003e\n\u003cli\u003eThe system is compromised as a result of the overwritten files, potentially leading to privilege escalation or arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to arbitrary file overwrite, potentially resulting in privilege escalation, code execution, and complete system compromise. While the specific number of affected systems is unknown, any system utilizing OCaml opam versions before 2.5.1 is potentially vulnerable. This includes development environments, build servers, and production systems relying on OCaml packages installed through opam. A successful attack could lead to data loss, system instability, or unauthorized access to sensitive information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OCaml opam to version 2.5.1 or later to remediate CVE-2026-41082 (see references).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Opam Path Traversal in Install Files\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring for suspicious file paths during opam package installation.\u003c/li\u003e\n\u003cli\u003eImplement strict controls over the packages and repositories used by opam to prevent the installation of malicious or compromised packages.\u003c/li\u003e\n\u003cli\u003eRegularly audit the \u0026ldquo;.install\u0026rdquo; files of installed packages for suspicious path traversal sequences.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-opam-path-traversal/","summary":"OCaml opam before 2.5.1 is vulnerable to path traversal via a crafted .install file, potentially allowing attackers to overwrite arbitrary files.","title":"OCaml opam Path Traversal Vulnerability (CVE-2026-41082)","url":"https://feed.craftedsignal.io/briefs/2026-04-opam-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-20186"},{"cvss":9.9,"id":"CVE-2026-20147"},{"cvss":9.9,"id":"CVE-2026-20180"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cisco-ise","rce","command-injection","path-traversal"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCisco Identity Services Engine (ISE) versions 3.x.x (3.1.0 - 3.4.0, and 3.1.0 p1-p10, 3.2.0 p1-p7, 3.3 Patches 1-7, and 3.4 Patches 1-3) are vulnerable to three newly disclosed vulnerabilities that can lead to remote code execution. These vulnerabilities, CVE-2026-20186, CVE-2026-20147, and CVE-2026-20180, can be exploited by remote attackers with low privileges, such as having Read Only Admin credentials. Successful exploitation can result in service disruption, system takeover, and complete compromise of the ISE instance. The vulnerabilities involve command injection and path traversal due to insufficient validation of user-supplied input in HTTP request handling. There is currently no public proof-of-concept or proof-of-exploitation available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to CISCO ISE with low-privilege credentials (e.g., Read Only Admin).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting a vulnerable endpoint within the ISE web application.\u003c/li\u003e\n\u003cli\u003eThe crafted request exploits CVE-2026-20186 by injecting commands to escalate privileges to root.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker exploits CVE-2026-20147 by sending a crafted HTTP request to execute arbitrary commands on the underlying operating system.\u003c/li\u003e\n\u003cli\u003eAs another option, the attacker leverages CVE-2026-20180 by exploiting insufficient validation of user-supplied input, leading to remote code execution.\u003c/li\u003e\n\u003cli\u003eThe injected commands or executed code elevates the attacker\u0026rsquo;s privileges to root.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control over the ISE system, enabling them to modify configurations, access sensitive data, or install malicious software.\u003c/li\u003e\n\u003cli\u003eIn single-node ISE deployments, successful exploitation can lead to a denial-of-service condition, disrupting network authentication and authorization services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows attackers to gain complete control over the CISCO ISE system. This can lead to the compromise of sensitive network access policies, credentials, and other confidential information managed by ISE. The impact includes potential disruption of network services due to denial-of-service, unauthorized access to network resources, and the potential for lateral movement to other systems within the network. Given that ISE is a critical component for network access control, a successful attack can have widespread and severe consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch vulnerable CISCO ISE instances to the latest version to remediate CVE-2026-20186, CVE-2026-20147, and CVE-2026-20180 (Cisco Security Advisory).\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and detection capabilities to identify suspicious activity related to these vulnerabilities (CCB Recommendation).\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any existing compromises by reviewing system logs and configurations for unauthorized changes (CCB Recommendation).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T08:45:05Z","date_published":"2026-04-17T08:45:05Z","id":"/briefs/2026-04-cisco-ise-rce/","summary":"Multiple critical vulnerabilities in CISCO ISE (CVE-2026-20186, CVE-2026-20147, CVE-2026-20180) allow remote attackers with low privileges to execute arbitrary commands, potentially escalating privileges to root and causing denial-of-service.","title":"Multiple Critical Vulnerabilities in CISCO ISE Leading to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-ise-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4659"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","file-read","path-traversal","cve-2026-4659"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Unlimited Elements for Elementor plugin, versions 2.0.6 and earlier, contains an arbitrary file read vulnerability (CVE-2026-4659). This vulnerability stems from inadequate sanitization of path traversal sequences within the \u003ccode\u003eURLtoRelative()\u003c/code\u003e and \u003ccode\u003eurlToPath()\u003c/code\u003e functions, particularly when combined with the ability to enable debug output. The \u003ccode\u003eURLtoRelative()\u003c/code\u003e function inadequately strips the base URL without properly sanitizing path traversal characters (\u003ccode\u003e../\u003c/code\u003e). Successful exploitation allows authenticated attackers with Author-level permissions or higher to access and read arbitrary local files on the WordPress host. This can include sensitive configuration files like \u003ccode\u003ewp-config.php\u003c/code\u003e, potentially exposing database credentials and other sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress application with Author-level or higher privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the \u003ccode\u003eRepeater JSON/CSV URL\u003c/code\u003e parameter within the Unlimited Elements widget settings.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing path traversal sequences (e.g., \u003ccode\u003ehttp://site.com/../../../../etc/passwd\u003c/code\u003e) in the \u003ccode\u003eRepeater JSON/CSV URL\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted URL is passed to the \u003ccode\u003eURLtoRelative()\u003c/code\u003e function, which removes the base URL but fails to sanitize the path traversal sequences.\u003c/li\u003e\n\u003cli\u003eThe resulting path (e.g., \u003ccode\u003e/../../../../etc/passwd\u003c/code\u003e) is concatenated with the base path by the application.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecleanPath()\u003c/code\u003e function normalizes directory separators, but does not remove traversal components, leaving the path vulnerable.\u003c/li\u003e\n\u003cli\u003eThe application resolves the path, leading to access of the targeted file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the contents of the arbitrary file, such as \u003ccode\u003ewp-config.php\u003c/code\u003e, potentially extracting sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to read arbitrary files on the WordPress host. This can lead to the exposure of sensitive data, including database credentials, API keys, and other configuration settings stored in files like \u003ccode\u003ewp-config.php\u003c/code\u003e. The impact ranges from data leakage to potential full compromise of the WordPress installation and the underlying server, depending on the contents of the accessed files and the attacker\u0026rsquo;s subsequent actions. The number of potentially affected WordPress sites is substantial, given the popularity of the Elementor plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Unlimited Elements for Elementor plugin to a version greater than 2.0.6 to patch CVE-2026-4659.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests containing path traversal sequences (\u003ccode\u003e../\u003c/code\u003e) in the URI, focusing on requests targeting WordPress plugins; use the provided Sigma rule to facilitate this detection.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation and sanitization for URL parameters within WordPress plugins, specifically when handling file paths, to prevent path traversal vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T07:23:36Z","date_published":"2026-04-17T07:23:36Z","id":"/briefs/2026-04-wordpress-file-read/","summary":"The Unlimited Elements for Elementor plugin for WordPress is vulnerable to arbitrary file read due to insufficient path traversal sanitization, allowing authenticated attackers to read sensitive files from the WordPress host.","title":"Unlimited Elements for Elementor WordPress Plugin Arbitrary File Read (CVE-2026-4659)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-file-read/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-34242"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["weblate","path-traversal","zip-archive","cve-2026-34242"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWeblate, a web-based localization tool, has a path traversal vulnerability (CVE-2026-34242) affecting versions prior to 5.17. The vulnerability exists within the ZIP download feature, where the application fails to adequately verify downloaded files. This can allow an attacker to craft a malicious ZIP archive containing symbolic links that, when extracted by a user or the application itself, can lead to files outside of the intended repository being accessed. The vulnerability was reported and patched in version 5.17. Exploitation of this vulnerability requires a user to download and extract a maliciously crafted ZIP file.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Weblate instance running a version prior to 5.17.\u003c/li\u003e\n\u003cli\u003eAttacker gains access to a translation project, either legitimately (e.g., as a translator) or illegitimately (e.g., via compromised credentials or another vulnerability).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious ZIP archive containing symbolic links that point to sensitive files or directories outside the intended Weblate repository (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e, application configuration files).\u003c/li\u003e\n\u003cli\u003eAttacker uploads the malicious ZIP archive to the Weblate project, potentially disguised as a legitimate translation file.\u003c/li\u003e\n\u003cli\u003eA user (e.g., an administrator or another translator) downloads the ZIP archive using the ZIP download feature.\u003c/li\u003e\n\u003cli\u003eThe user extracts the ZIP archive on their local machine or, if Weblate automatically processes the ZIP, on the server.\u003c/li\u003e\n\u003cli\u003eThe symbolic links within the extracted archive are resolved, potentially allowing access to sensitive files or directories outside the Weblate repository.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to sensitive information, potentially leading to further compromise of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability (CVE-2026-34242) can allow an attacker to read arbitrary files on the server where Weblate is installed or on a user\u0026rsquo;s machine if the user downloads and extracts the crafted ZIP archive locally. This could lead to the exposure of sensitive information such as application configuration files, database credentials, or even system-level files, depending on the permissions of the user or the Weblate application. The severity is rated as HIGH with a CVSS v3.1 score of 7.7.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Weblate to version 5.17 or later to patch CVE-2026-34242 (reference: Overview).\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on Weblate servers to detect unauthorized file access (reference: Attack Chain - step 7).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect ZIP archive downloads containing suspicious filenames that might indicate path traversal attempts (reference: rules).\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of downloading and extracting files from untrusted sources (reference: Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T19:16:35Z","date_published":"2026-04-15T19:16:35Z","id":"/briefs/2026-04-weblate-path-traversal/","summary":"Weblate versions before 5.17 are vulnerable to path traversal due to improper verification of downloaded files in the ZIP download feature, potentially allowing attackers to access files outside the intended repository.","title":"Weblate Path Traversal Vulnerability in ZIP Download Feature (CVE-2026-34242)","url":"https://feed.craftedsignal.io/briefs/2026-04-weblate-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["zarf","path-traversal","arbitrary-file-write","package-inspection","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eZarf, a tool for air-gapped deployments, is susceptible to a path traversal vulnerability (CVE-2026-40090) affecting versions prior to v0.74.2. The vulnerability stems from inadequate sanitization of the \u003ccode\u003eMetadata.Name\u003c/code\u003e field within Zarf package manifests. When a user employs the \u003ccode\u003ezarf package inspect sbom\u003c/code\u003e or \u003ccode\u003ezarf package inspect documentation\u003c/code\u003e commands on an untrusted package, the tool constructs output file paths by concatenating a user-controlled output directory with the package\u0026rsquo;s \u003ccode\u003eMetadata.Name\u003c/code\u003e field. A malicious actor can craft a Zarf package with a manipulated \u003ccode\u003eMetadata.Name\u003c/code\u003e containing path traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e), enabling arbitrary file write capabilities within the permissions of the user running the \u003ccode\u003einspect\u003c/code\u003e command. This vulnerability allows attackers to write to locations they control, potentially leading to privilege escalation or system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Zarf package.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003ezarf.yaml\u003c/code\u003e manifest within the package to include a \u003ccode\u003eMetadata.Name\u003c/code\u003e field containing path traversal sequences (e.g., \u003ccode\u003e../../../../tmp/evil\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker repacks the Zarf package, recalculating checksums if necessary.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious Zarf package.\u003c/li\u003e\n\u003cli\u003eA victim user downloads the malicious Zarf package.\u003c/li\u003e\n\u003cli\u003eThe victim executes \u003ccode\u003ezarf package inspect sbom --output-dir /tmp \u0026lt;malicious-package.tar.zst\u0026gt;\u003c/code\u003e or \u003ccode\u003ezarf package inspect documentation --output-dir /tmp \u0026lt;malicious-package.tar.zst\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eZarf extracts the \u003ccode\u003eMetadata.Name\u003c/code\u003e from the \u003ccode\u003ezarf.yaml\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eZarf constructs an output path by joining the user-specified output directory (/tmp) with the malicious \u003ccode\u003eMetadata.Name\u003c/code\u003e (\u003ccode\u003e../../../../tmp/evil\u003c/code\u003e), resulting in \u003ccode\u003e/tmp/../../../../tmp/evil\u003c/code\u003e. The tool attempts to write the SBOM or documentation data to this path, resulting in writing the file to \u003ccode\u003e/tmp/evil\u003c/code\u003e. This allows attackers to write files such as SSH authorized keys, cron jobs, or shell profiles.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write arbitrary files to the file system, limited by the permissions of the user running the \u003ccode\u003ezarf package inspect\u003c/code\u003e command. This can lead to several critical consequences: privilege escalation by writing to authorized_keys files, arbitrary code execution by writing cron jobs, or persistent compromise by writing to shell profiles. This vulnerability affects users running the \u003ccode\u003ezarf package inspect sbom\u003c/code\u003e or \u003ccode\u003ezarf package inspect documentation\u003c/code\u003e command on untrusted packages. The affected packages are go/github.com/zarf-dev/zarf versions \u0026gt;= 0.23.0 and \u0026lt; 0.74.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Zarf to version v0.74.2 or later to patch CVE-2026-40090.\u003c/li\u003e\n\u003cli\u003eAvoid inspecting unsigned Zarf packages as a workaround until the upgrade is complete, as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Zarf Package Inspection with Path Traversal\u0026rdquo; to identify attempts to exploit this vulnerability via command-line arguments.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in sensitive directories (e.g., \u003ccode\u003e/home/$USER/.ssh\u003c/code\u003e, \u003ccode\u003e/etc/cron.d\u003c/code\u003e) for files created by the zarf binary using the \u0026ldquo;Detect Zarf Arbitrary File Write\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-15-zarf-path-traversal/","summary":"Zarf is vulnerable to path traversal due to insufficient sanitization of the Metadata.Name field in package manifests when using the `zarf package inspect sbom` or `zarf package inspect documentation` commands, potentially leading to arbitrary file write.","title":"Zarf Path Traversal Vulnerability via Malicious Package Metadata.Name","url":"https://feed.craftedsignal.io/briefs/2026-04-15-zarf-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-34619"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","coldfusion","cve-2026-34619"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-34619 describes a path traversal vulnerability affecting Adobe ColdFusion versions 2023.18, 2025.6, and earlier. Disclosed on April 14, 2026, this vulnerability allows an attacker to bypass intended security restrictions and gain access to sensitive files and directories on the ColdFusion server. The vulnerability exists due to improper limitation of pathnames, and successful exploitation requires no user interaction, making it particularly dangerous. This issue could lead to the exposure of configuration files, source code, or other sensitive data, potentially compromising the entire ColdFusion application and the server it resides on. Organizations using these versions of ColdFusion are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a ColdFusion server running a vulnerable version (2023.18, 2025.6, or earlier).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing a path traversal sequence (e.g., \u0026ldquo;../\u0026rdquo;) in a URL parameter that is used to access files.\u003c/li\u003e\n\u003cli\u003eThe ColdFusion server improperly processes the path, failing to adequately restrict access to files within the intended directory.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses security restrictions and gains access to files or directories outside of the intended web root.\u003c/li\u003e\n\u003cli\u003eThe attacker reads sensitive configuration files, such as database connection strings or API keys.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages exposed credentials to gain unauthorized access to databases or other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies application code or uploads malicious files to further compromise the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34619 can lead to a complete compromise of the ColdFusion server. An attacker could steal sensitive data, including customer information, proprietary source code, and database credentials. This could result in significant financial losses, reputational damage, and legal repercussions for affected organizations. The lack of required user interaction makes this vulnerability particularly dangerous, as an attacker can exploit it without any user awareness.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Adobe ColdFusion as soon as possible. Refer to Adobe\u0026rsquo;s security bulletin APSB26-38 for the latest updates and instructions (\u003ca href=\"https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html)\"\u003ehttps://helpx.adobe.com/security/products/coldfusion/apsb26-38.html)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect ColdFusion Path Traversal Attempts\u0026rdquo; to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eContinuously monitor web server logs for suspicious URL patterns and path traversal attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-coldfusion-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-34619) in Adobe ColdFusion versions 2023.18, 2025.6, and earlier allows an attacker to bypass security features and access unauthorized files or directories without user interaction.","title":"Adobe ColdFusion Path Traversal Vulnerability (CVE-2026-34619)","url":"https://feed.craftedsignal.io/briefs/2026-04-coldfusion-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-39813"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","vulnerability","privilege-escalation","fortinet"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-39813, affects Fortinet FortiSandbox appliances. Specifically, versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8 are susceptible. The vulnerability stems from insufficient path validation, potentially allowing an unauthenticated attacker to manipulate file paths and gain elevated privileges on the system. The specific attack vector is not detailed in the source document, but the use of \u0026lsquo;../filedir\u0026rsquo; suggests the possibility of reading or writing arbitrary files. Successful exploitation could lead to complete system compromise, data exfiltration, or denial of service. Defenders should apply available patches or mitigations immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted request to the FortiSandbox appliance.\u003c/li\u003e\n\u003cli\u003eThe request targets a specific endpoint vulnerable to path traversal.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the \u0026ldquo;../filedir\u0026rdquo; sequence within a file path parameter.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application fails to properly sanitize the file path.\u003c/li\u003e\n\u003cli\u003eThe attacker uses path traversal to access sensitive configuration files or system binaries.\u003c/li\u003e\n\u003cli\u003eBy overwriting existing system files, the attacker escalates privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control of the FortiSandbox appliance, potentially allowing lateral movement to other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39813 allows an unauthenticated attacker to escalate privileges on the Fortinet FortiSandbox appliance. This could lead to complete system compromise, sensitive data exfiltration, or the deployment of malicious payloads. The lack of specific victim numbers or sectors targeted in the source data prevents further quantitative assessment. However, given the appliance\u0026rsquo;s role in network security, a successful attack could severely impact the security posture of organizations using the vulnerable FortiSandbox versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Fortinet FortiSandbox to a patched version outside the vulnerable range (5.0.0-5.0.5 and 4.4.0-4.4.8) to remediate CVE-2026-39813.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Fortinet FortiSandbox Path Traversal Attempt\u0026rdquo; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing \u0026ldquo;../filedir\u0026rdquo; patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules and review system logs for signs of unauthorized access or privilege escalation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T16:16:45Z","date_published":"2026-04-14T16:16:45Z","id":"/briefs/2026-04-fortinet-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-39813) in Fortinet FortiSandbox versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8 may allow an unauthenticated attacker to escalate privileges via '../filedir'.","title":"Fortinet FortiSandbox Path Traversal Vulnerability (CVE-2026-39813)","url":"https://feed.craftedsignal.io/briefs/2026-04-fortinet-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-22562"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","rce","unifi"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-22562 describes a critical path traversal vulnerability affecting UniFi Play PowerAmp (version 1.0.35 and earlier) and UniFi Play Audio Port (version 1.0.24 and earlier) devices. An attacker with access to the UniFi Play network can exploit this vulnerability to write arbitrary files on the file system. This capability can then be leveraged to achieve remote code execution (RCE) on the vulnerable device. Successful exploitation requires network access to the affected UniFi Play devices, making internal networks the primary target. The vulnerability was disclosed in April 2026. Defenders should prioritize patching vulnerable devices to prevent potential compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to the UniFi Play network (e.g., via compromised credentials or network intrusion).\u003c/li\u003e\n\u003cli\u003eAttacker identifies a vulnerable UniFi Play device (PowerAmp \u0026lt;= 1.0.35 or Audio Port \u0026lt;= 1.0.24).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request containing a path traversal sequence (e.g., \u0026ldquo;../../../\u0026rdquo;) in a file upload or download parameter.\u003c/li\u003e\n\u003cli\u003eThe vulnerable device processes the request without proper sanitization, allowing the attacker to write a file to an arbitrary location on the file system.\u003c/li\u003e\n\u003cli\u003eAttacker writes a malicious script (e.g., a shell script or executable) to a location where it can be executed (e.g., a startup directory or cron job).\u003c/li\u003e\n\u003cli\u003eAttacker triggers the execution of the malicious script (e.g., by rebooting the device or waiting for the cron job to run).\u003c/li\u003e\n\u003cli\u003eThe malicious script executes with the privileges of the UniFi Play device, granting the attacker remote code execution.\u003c/li\u003e\n\u003cli\u003eAttacker uses RCE to further compromise the device, pivot to other network assets, or establish persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-22562 allows an attacker to gain complete control of the vulnerable UniFi Play device. This can lead to data exfiltration, device disruption, and further compromise of the network to which the device is connected. Given the potential for RCE, an attacker could potentially use compromised devices as entry points to other systems on the network, thus expanding their reach and increasing the overall impact of the attack. Organizations using affected UniFi Play devices are at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update UniFi Play PowerAmp to version 1.0.38 or later and UniFi Play Audio Port to version 1.1.9 or later to patch CVE-2026-22562 (see Overview).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious HTTP requests containing path traversal sequences targeting UniFi Play devices using the provided Sigma rule (Path Traversal in URI).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a potential compromise of a UniFi Play device.\u003c/li\u003e\n\u003cli\u003eReview and harden access controls to the UniFi Play network to prevent unauthorized access by potential attackers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T14:00:00Z","date_published":"2026-04-14T14:00:00Z","id":"/briefs/2026-04-unifi-path-traversal/","summary":"A path traversal vulnerability in UniFi Play devices allows an attacker with network access to write arbitrary files, leading to remote code execution.","title":"UniFi Play Path Traversal Vulnerability (CVE-2026-22562)","url":"https://feed.craftedsignal.io/briefs/2026-04-unifi-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-35204"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["helm","path-traversal","vulnerability","plugin","kubernetes"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eHelm, a package manager for Kubernetes charts, is vulnerable to a path traversal issue. Specifically, Helm versions 4.0.0 through 4.1.3 are affected. A maliciously crafted Helm plugin, when installed or updated, can exploit this vulnerability (CVE-2026-35204) to write the plugin\u0026rsquo;s contents to arbitrary locations on the user\u0026rsquo;s filesystem. This can lead to overwriting critical system files or user data, potentially compromising the system\u0026rsquo;s integrity. Helm v4.1.4 resolves this vulnerability by rejecting plugins with non-SemVer versions containing path traversal patterns. Defenders should ensure Helm installations are updated to the patched version or implement workarounds to validate plugin metadata.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Helm plugin. This plugin contains a \u003ccode\u003eplugin.yaml\u003c/code\u003e file with a \u003ccode\u003eversion\u003c/code\u003e field that includes POSIX dot-dot path separators (e.g., \u003ccode\u003e/../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious plugin to potential victims, possibly through public repositories or direct spear phishing.\u003c/li\u003e\n\u003cli\u003eA victim attempts to install or update the Helm plugin using the \u003ccode\u003ehelm plugin install\u003c/code\u003e or \u003ccode\u003ehelm plugin update\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eHelm parses the \u003ccode\u003eplugin.yaml\u003c/code\u003e file and extracts the \u003ccode\u003eversion\u003c/code\u003e field, which contains the path traversal characters.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, Helm incorrectly resolves the file path, allowing the plugin\u0026rsquo;s contents to be written outside the intended plugin directory.\u003c/li\u003e\n\u003cli\u003eThe malicious plugin overwrites arbitrary files on the user\u0026rsquo;s system based on the path specified in the \u003ccode\u003eversion\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eDepending on the files overwritten, the attacker can achieve various malicious objectives, such as gaining persistence, escalating privileges, or executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by overwriting system startup scripts or configuration files, allowing the malicious code to run automatically on system reboot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to overwrite arbitrary files on the victim\u0026rsquo;s system. This can lead to various detrimental outcomes, including data loss, system instability, privilege escalation, and ultimately, complete system compromise. While the specific number of victims is unknown, any user running a vulnerable version of Helm (4.0.0 - 4.1.3) is at risk. The potential impact includes compromising Kubernetes deployments and sensitive data stored on affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Helm to version 4.1.4 or later to remediate CVE-2026-35204, as this version includes a patch that prevents path traversal during plugin installation.\u003c/li\u003e\n\u003cli\u003eImplement a validation step before installing or updating Helm plugins, checking the \u003ccode\u003eplugin.yaml\u003c/code\u003e file for a \u003ccode\u003eversion:\u003c/code\u003e field containing POSIX dot-dot path separators. This mitigates the risk described in the workaround section of the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Helm Plugin Install with Path Traversal\u0026rdquo; to detect attempts to install plugins with malicious \u003ccode\u003eversion\u003c/code\u003e fields, using file_event logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-helm-path-traversal/","summary":"A path traversal vulnerability in Helm versions 4.0.0 to 4.1.3 allows a malicious plugin to write files to arbitrary locations on the filesystem, leading to potential system compromise.","title":"Helm Plugin Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-helm-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-31939"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","file-deletion","chamilo-lms"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS, a learning management system, is vulnerable to a path traversal vulnerability (CVE-2026-31939) affecting versions prior to 1.11.38. This vulnerability resides in the \u003ccode\u003emain/exercise/savescores.php\u003c/code\u003e script. The vulnerability arises because the application directly concatenates user-supplied input from the \u003ccode\u003e$_REQUEST['test']\u003c/code\u003e parameter into a filesystem path without proper sanitization, canonicalization, or traversal checks. This allows an attacker to manipulate the path and potentially delete arbitrary files on the server. Successful exploitation requires an authenticated user with access to the vulnerable functionality. Organizations using affected versions of Chamilo LMS are at risk of data loss and potential system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user accesses the \u003ccode\u003emain/exercise/savescores.php\u003c/code\u003e script within the Chamilo LMS application.\u003c/li\u003e\n\u003cli\u003eThe application retrieves the value of the \u003ccode\u003etest\u003c/code\u003e parameter from the \u003ccode\u003e$_REQUEST\u003c/code\u003e array.\u003c/li\u003e\n\u003cli\u003eThe application concatenates this user-supplied value directly into a file system path without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe application then attempts to delete the file specified by the constructed path using a function such as \u003ccode\u003eunlink()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003etest\u003c/code\u003e parameter containing path traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) to navigate outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe application, without proper checks, uses the manipulated path to delete a file outside of the designated exercise directory.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully deletes arbitrary files on the server, potentially including sensitive configuration files or other critical data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31939 allows an attacker to delete arbitrary files on the Chamilo LMS server. This can lead to data loss, system instability, and potential compromise of the entire system. The CVSS v3.1 score of 8.3 (HIGH) reflects the potential for significant impact, with confidentiality, integrity, and availability all being affected. The number of victims depends on the deployment size and user base of the affected Chamilo LMS instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS to version 1.11.38 or later to patch CVE-2026-31939, as indicated in the advisory \u003ca href=\"https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38\"\u003ehttps://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all user-supplied input, especially the \u003ccode\u003etest\u003c/code\u003e parameter in \u003ccode\u003emain/exercise/savescores.php\u003c/code\u003e, to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003emain/exercise/savescores.php\u003c/code\u003e containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..\\\\\u003c/code\u003e), using the provided Sigma rule as a guide.\u003c/li\u003e\n\u003cli\u003eImplement file system access controls to limit the permissions of the web server process to only the necessary directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-path-trav/","summary":"A path traversal vulnerability (CVE-2026-31939) in Chamilo LMS versions prior to 1.11.38 allows authenticated attackers to delete arbitrary files via unsanitized user input in the 'test' parameter of savescores.php.","title":"Chamilo LMS Path Traversal Vulnerability (CVE-2026-31939)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-path-trav/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-35668"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","openclaw"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.3.24 are susceptible to a path traversal vulnerability (CVE-2026-35668) that compromises sandbox enforcement. This flaw allows a sandboxed agent to read arbitrary files from another agent\u0026rsquo;s workspace by exploiting weaknesses in the handling of \u003ccode\u003emediaUrl\u003c/code\u003e and \u003ccode\u003efileUrl\u003c/code\u003e parameters. The vulnerability stems from incomplete parameter validation within the \u003ccode\u003enormalizeSandboxMediaParams\u003c/code\u003e function and the absence of \u003ccode\u003emediaLocalRoots\u003c/code\u003e context, which enables attackers to bypass intended sandbox restrictions and access sensitive data, such as API keys and configuration files, located outside the agent\u0026rsquo;s designated sandbox root. Successful exploitation allows unauthorized data access, potentially leading to lateral movement or data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an OpenClaw instance running a version prior to 2026.3.24.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request containing either a \u003ccode\u003emediaUrl\u003c/code\u003e or \u003ccode\u003efileUrl\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted URL includes path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) designed to navigate outside the intended sandbox directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enormalizeSandboxMediaParams\u003c/code\u003e function processes the URL but fails to adequately sanitize or normalize the path, due to insufficient validation.\u003c/li\u003e\n\u003cli\u003eThe lack of proper \u003ccode\u003emediaLocalRoots\u003c/code\u003e context during path resolution further contributes to the bypass.\u003c/li\u003e\n\u003cli\u003eThe application attempts to access the file specified by the manipulated URL.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal vulnerability, the application reads a file outside the intended sandbox root, potentially revealing sensitive information like API keys.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the contents of the targeted file, completing the unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35668 can lead to the disclosure of sensitive information, including API keys and configuration data, stored within other agents\u0026rsquo; workspaces. This unauthorized access can enable attackers to perform lateral movement, escalate privileges, or exfiltrate valuable data. While specific victim counts are unavailable, any OpenClaw deployment running a vulnerable version is at risk. The impact is heightened in environments where OpenClaw agents handle sensitive data or manage critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.24 or later to remediate CVE-2026-35668 and address the underlying path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all URL parameters, especially those related to file or media access, to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eApply the provided Sigma rule to detect suspicious requests containing path traversal sequences in \u003ccode\u003emediaUrl\u003c/code\u003e or \u003ccode\u003efileUrl\u003c/code\u003e parameters within web server logs.\u003c/li\u003e\n\u003cli\u003eReview and strengthen sandbox configurations to ensure proper isolation between OpenClaw agents and restrict access to sensitive files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T17:17:09Z","date_published":"2026-04-10T17:17:09Z","id":"/briefs/2026-04-openclaw-path-traversal/","summary":"OpenClaw before 2026.3.24 is vulnerable to path traversal, allowing sandboxed agents to read arbitrary files from other agents' workspaces via manipulated URL parameters.","title":"OpenClaw Path Traversal Vulnerability (CVE-2026-35668)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4351"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","perfmatters","file-overwrite","path-traversal"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Perfmatters plugin for WordPress, in versions up to and including 2.5.9, is vulnerable to an arbitrary file overwrite vulnerability (CVE-2026-4351). This vulnerability stems from the \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method\u0026rsquo;s processing of bulk \u003ccode\u003eactivate\u003c/code\u003e/\u003ccode\u003edeactivate\u003c/code\u003e actions without proper authorization checks or nonce verification. The unsanitized \u003ccode\u003e$_GET['snippets'][]\u003c/code\u003e values are then passed to \u003ccode\u003eSnippet::activate()\u003c/code\u003e/\u003ccode\u003eSnippet::deactivate()\u003c/code\u003e, which subsequently call \u003ccode\u003eSnippet::update()\u003c/code\u003e and \u003ccode\u003efile_put_contents()\u003c/code\u003e with a traversed path. An authenticated attacker with subscriber-level privileges can exploit this flaw to overwrite arbitrary files on the server with a fixed PHP docblock, leading to a potential denial-of-service condition by corrupting critical files such as \u003ccode\u003e.htaccess\u003c/code\u003e or \u003ccode\u003eindex.php\u003c/code\u003e. This vulnerability allows low-privileged users to gain elevated privileges on the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the WordPress site with subscriber-level access.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET request targeting the WordPress installation.\u003c/li\u003e\n\u003cli\u003eThe GET request includes the \u003ccode\u003epmcs_action\u003c/code\u003e parameter set to \u003ccode\u003ebulk_activate\u003c/code\u003e or \u003ccode\u003ebulk_deactivate\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe GET request includes the \u003ccode\u003esnippets[]\u003c/code\u003e parameter containing a path traversal payload, such as \u003ccode\u003e../../../.htaccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e function processes the request without proper authorization or nonce validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSnippet::activate()\u003c/code\u003e or \u003ccode\u003eSnippet::deactivate()\u003c/code\u003e functions are called, leading to \u003ccode\u003eSnippet::update()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSnippet::update()\u003c/code\u003e then calls \u003ccode\u003efile_put_contents()\u003c/code\u003e with the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites the targeted file (e.g., \u003ccode\u003e.htaccess\u003c/code\u003e, \u003ccode\u003eindex.php\u003c/code\u003e) with a fixed PHP docblock, leading to a denial of service or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to overwrite arbitrary files on the WordPress server. Overwriting critical files like \u003ccode\u003e.htaccess\u003c/code\u003e or \u003ccode\u003eindex.php\u003c/code\u003e can result in a denial-of-service condition, rendering the website unavailable. In some cases, this could be leveraged for further compromise by injecting malicious code into other PHP files or modifying server configurations. The vulnerability affects all installations using the Perfmatters plugin version 2.5.9 or earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Perfmatters plugin to the latest version to patch CVE-2026-4351.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Perfmatters Arbitrary File Overwrite Attempt\u003c/code\u003e to monitor for exploitation attempts targeting this vulnerability via HTTP GET requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious GET requests containing \u003ccode\u003epmcs_action=bulk_activate\u003c/code\u003e or \u003ccode\u003epmcs_action=bulk_deactivate\u003c/code\u003e and path traversal sequences within the \u003ccode\u003esnippets[]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission controls to limit the impact of potential file overwrite vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T02:37:36Z","date_published":"2026-04-10T02:37:36Z","id":"/briefs/2026-04-perfmatters-overwrite/","summary":"The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal, allowing authenticated attackers with subscriber-level access to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service.","title":"Perfmatters WordPress Plugin Arbitrary File Overwrite Vulnerability (CVE-2026-4351)","url":"https://feed.craftedsignal.io/briefs/2026-04-perfmatters-overwrite/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-39981"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","cve","agixt","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAGiXT, a dynamic AI Agent Automation Platform, contains a critical vulnerability (CVE-2026-39981) affecting versions prior to 1.9.2. The vulnerability lies in the \u003ccode\u003esafe_join()\u003c/code\u003e function within the \u003ccode\u003eessential_abilities\u003c/code\u003e extension. This function fails to adequately validate file paths, creating an opportunity for authenticated attackers to perform directory traversal attacks. By exploiting this flaw, an attacker can manipulate file paths to access files outside the designated agent workspace, resulting in arbitrary file read, write, or deletion capabilities on the server hosting the AGiXT instance. This issue was addressed and resolved in AGiXT version 1.9.2. This vulnerability could allow an attacker to gain complete control over the AGiXT server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the AGiXT application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003esafe_join()\u003c/code\u003e function within the \u003ccode\u003eessential_abilities\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to navigate outside the intended agent workspace.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esafe_join()\u003c/code\u003e function fails to properly sanitize the input, allowing the traversal sequences to take effect.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to read arbitrary files on the server using the path traversal.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the ability to write to arbitrary files to inject malicious code or overwrite existing system files.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the write access to establish persistence, potentially by modifying system startup scripts or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the server hosting the AGiXT instance, potentially leading to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39981 can lead to complete compromise of the AGiXT server. An attacker could gain unauthorized access to sensitive data, modify system configurations, install malware, or disrupt services. This vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity. The impact could be significant for organizations relying on AGiXT for critical operations, potentially leading to data breaches, financial losses, and reputational damage. The number of victims and specific sectors targeted are currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade AGiXT to version 1.9.2 or later to remediate CVE-2026-39981 (references: \u003ca href=\"https://github.com/Josh-XT/AGiXT/releases/tag/v1.9.2)\"\u003ehttps://github.com/Josh-XT/AGiXT/releases/tag/v1.9.2)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent directory traversal attacks.\u003c/li\u003e\n\u003cli\u003eMonitor AGiXT application logs for suspicious file access attempts and path manipulation sequences.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to your SIEM to detect potential exploitation attempts targeting CVE-2026-39981.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T18:17:02Z","date_published":"2026-04-09T18:17:02Z","id":"/briefs/2026-04-agixt-path-traversal/","summary":"AGiXT versions prior to 1.9.2 are vulnerable to path traversal (CVE-2026-39981) due to insufficient validation in the safe_join() function, allowing authenticated attackers to read, write, or delete arbitrary files.","title":"AGiXT Path Traversal Vulnerability (CVE-2026-39981)","url":"https://feed.craftedsignal.io/briefs/2026-04-agixt-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-40024"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path traversal","code execution","privilege escalation","sleuth kit","CVE-2026-40024"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Sleuth Kit, a collection of command-line tools for forensic analysis of disk images, is susceptible to a path traversal vulnerability (CVE-2026-40024) affecting versions up to 4.14.0. This vulnerability resides within the \u003ccode\u003etsk_recover\u003c/code\u003e utility, which is designed to recover files from disk images. An attacker can exploit this flaw by crafting a malicious filesystem image containing filenames or directory paths with path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e). When \u003ccode\u003etsk_recover\u003c/code\u003e processes this image, it can be tricked into writing files to arbitrary locations outside the intended recovery directory. Successful exploitation allows attackers to overwrite critical system files, such as shell configuration files or cron entries, ultimately leading to code execution with elevated privileges. This vulnerability poses a significant risk to systems utilizing The Sleuth Kit for forensic investigations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious filesystem image. This image contains filenames or directory paths embedded with path traversal sequences like \u003ccode\u003e../\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker, or a user under their control, invokes the \u003ccode\u003etsk_recover\u003c/code\u003e utility on a vulnerable system, specifying the malicious filesystem image as input.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003etsk_recover\u003c/code\u003e parses the filesystem image and encounters the crafted filenames with path traversal sequences.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, \u003ccode\u003etsk_recover\u003c/code\u003e incorrectly resolves the file paths, allowing the write operation to escape the intended recovery directory.\u003c/li\u003e\n\u003cli\u003eThe utility writes a file to an arbitrary location on the file system. This location is determined by the attacker-controlled path traversal sequences.\u003c/li\u003e\n\u003cli\u003eThe attacker strategically targets critical system files for overwriting, such as shell configuration files (\u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.bash_profile\u003c/code\u003e) or cron entries (\u003ccode\u003e/etc/cron.d/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eUpon the next user login or scheduled cron job execution, the attacker\u0026rsquo;s malicious code embedded in the overwritten files is executed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution, potentially gaining persistence or escalating privileges on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write arbitrary files to the target system, potentially leading to code execution. By overwriting shell configuration files or cron entries, attackers can gain persistence and escalate their privileges, effectively taking control of the system. While the specific number of victims is unknown, any system utilizing a vulnerable version of The Sleuth Kit for disk image analysis is at risk. The impact could range from data theft to complete system compromise, depending on the attacker\u0026rsquo;s objectives and the level of access gained.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade The Sleuth Kit to a version beyond 4.14.0 to patch CVE-2026-40024 and eliminate the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for instances of \u003ccode\u003etsk_recover\u003c/code\u003e writing files outside the intended recovery directory using the Sigma rule \u003ccode\u003eDetect Sleuth Kit Path Traversal\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring for critical system files (e.g., \u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.bash_profile\u003c/code\u003e, \u003ccode\u003e/etc/cron.d/*\u003c/code\u003e) to detect unauthorized modifications resulting from exploitation of CVE-2026-40024.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T22:16:22Z","date_published":"2026-04-08T22:16:22Z","id":"/briefs/2024-01-30-sleuthkit-pathtraversal/","summary":"A path traversal vulnerability exists in The Sleuth Kit through 4.14.0 (tsk_recover), enabling attackers to write files to arbitrary locations via crafted filenames with path traversal sequences in a filesystem image, potentially leading to code execution.","title":"Sleuth Kit Path Traversal Vulnerability (CVE-2026-40024)","url":"https://feed.craftedsignal.io/briefs/2024-01-30-sleuthkit-pathtraversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-33466"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","remote-code-execution","logstash"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33466 exposes a critical vulnerability in Logstash, stemming from improper validation of file paths within compressed archives. This flaw, classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), can be exploited by an attacker to achieve arbitrary file writes on the host system. The attack vector involves serving a specially crafted archive to Logstash, typically through a compromised or attacker-controlled update endpoint. This malicious archive contains file paths designed to traverse directories, allowing the attacker to write files outside of the intended Logstash directories with the privileges of the Logstash process. If Logstash is configured with automatic pipeline reloading, this arbitrary file write can be leveraged to execute arbitrary code, effectively achieving remote code execution (RCE).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Logstash instance with a vulnerable version of the archive extraction utility and a potential attack vector via update endpoints.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious compressed archive containing files with relative path traversal sequences in their filenames (e.g., \u0026ldquo;../../path/to/malicious/file.conf\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eAttacker compromises or controls an update endpoint used by Logstash to retrieve updates, such as pipeline configurations or plugins.\u003c/li\u003e\n\u003cli\u003eLogstash retrieves the malicious archive from the compromised update endpoint.\u003c/li\u003e\n\u003cli\u003eLogstash extracts the contents of the archive using a vulnerable archive extraction utility.\u003c/li\u003e\n\u003cli\u003eDue to insufficient path validation, the utility writes the files to arbitrary locations on the filesystem, overwriting existing files or creating new ones. A common target could be Logstash\u0026rsquo;s configuration directory.\u003c/li\u003e\n\u003cli\u003eIf automatic pipeline reloading is enabled, Logstash detects the modified configuration file and reloads the pipeline.\u003c/li\u003e\n\u003cli\u003eThe malicious configuration file contains embedded code that executes arbitrary commands on the system with the privileges of the Logstash process, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33466 can lead to complete compromise of the Logstash server. An attacker can gain arbitrary code execution, allowing them to install malware, steal sensitive data, or disrupt services. The CVSS v3.1 base score of 8.1 reflects the high potential for damage. While the number of potential victims and targeted sectors are unknown, any organization using a vulnerable Logstash instance is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of Logstash that addresses CVE-2026-33466 as soon as it becomes available.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on any update endpoints used by Logstash to prevent the delivery of malicious archives.\u003c/li\u003e\n\u003cli\u003eDisable automatic pipeline reloading in Logstash if possible, or implement controls to verify the integrity of pipeline configurations before reloading.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Logstash Path Traversal Archive Extraction\u003c/code\u003e to detect potential exploitation attempts by monitoring for suspicious file creation events.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events for files created outside of the intended Logstash directories using the \u003ccode\u003eDetect Logstash Out-of-Directory File Creation\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T18:26:00Z","date_published":"2026-04-08T18:26:00Z","id":"/briefs/2024-01-24-logstash-path-traversal/","summary":"CVE-2026-33466 describes a vulnerability in Logstash where improper validation of file paths within compressed archives allows arbitrary file writes, potentially leading to remote code execution.","title":"Logstash Arbitrary File Write via Path Traversal (CVE-2026-33466)","url":"https://feed.craftedsignal.io/briefs/2024-01-24-logstash-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-39847"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","web-application","emmett","cve-2026-39847"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Emmett web framework, a full-stack Python framework, is susceptible to a path traversal vulnerability affecting versions 2.5.0 to prior to 2.8.1. Specifically, the RSGI static handler for Emmett\u0026rsquo;s internal assets (/\u003cstrong\u003eemmett\u003c/strong\u003e paths) does not properly sanitize user-supplied input, leading to CVE-2026-39847. By crafting malicious URLs containing \u0026ldquo;../\u0026rdquo; sequences, an unauthenticated attacker can bypass directory restrictions and access sensitive files residing outside the designated assets directory. Successful exploitation allows attackers to potentially read application source code, configuration files, or other sensitive data. Emmett users are urged to upgrade to version 2.8.1 or later to remediate this vulnerability. The vulnerability was reported on April 7th, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Emmett web application running a version between 2.5.0 and 2.8.1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting a static asset under the \u003ccode\u003e/__emmett__\u003c/code\u003e path.\u003c/li\u003e\n\u003cli\u003eThe crafted URL includes \u0026ldquo;../\u0026rdquo; sequences to traverse up the directory structure from the intended assets directory. For example: \u003ccode\u003e/__emmett__/../../../../etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe web server receives the request and passes it to the vulnerable RSGI static handler.\u003c/li\u003e\n\u003cli\u003eDue to the lack of input sanitization, the handler processes the \u0026ldquo;../\u0026rdquo; sequences, allowing the attacker to navigate outside the assets directory.\u003c/li\u003e\n\u003cli\u003eThe handler attempts to read the file specified in the manipulated path (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server returns the contents of the requested file in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains sensitive information from the server, potentially including configuration files, source code, or credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability (CVE-2026-39847) allows an attacker to read arbitrary files on the server hosting the Emmett web application. This can lead to the exposure of sensitive information such as application source code, configuration files containing database credentials, or even system files. The impact can range from information disclosure to complete compromise of the web application and potentially the underlying server. The severity is rated as critical with a CVSS v3.1 score of 9.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Emmett to version 2.8.1 or later to patch CVE-2026-39847.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Emmett Path Traversal Attempts\u0026rdquo; to your SIEM to identify exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious URLs containing \u0026ldquo;../\u0026rdquo; sequences targeting the \u003ccode\u003e/__emmett__\u003c/code\u003e path to identify potential exploit attempts.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests containing path traversal sequences.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T22:16:23Z","date_published":"2026-04-07T22:16:23Z","id":"/briefs/2026-04-emmett-path-traversal/","summary":"Emmett web framework versions 2.5.0 to before 2.8.1 are vulnerable to path traversal attacks (CVE-2026-39847), allowing attackers to read arbitrary files outside the intended assets directory using manipulated URLs.","title":"Emmett Web Framework Path Traversal Vulnerability (CVE-2026-39847)","url":"https://feed.craftedsignal.io/briefs/2026-04-emmett-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-35573"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","rce","churchcrm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM, an open-source church management system, is vulnerable to a path traversal attack affecting versions prior to 6.5.3. This vulnerability resides in the backup restore functionality, specifically within \u003ccode\u003esrc/ChurchCRM/Backup/RestoreJob.php\u003c/code\u003e. Authenticated administrators can exploit this flaw by manipulating the \u003ccode\u003e$rawUploadedFile['name']\u003c/code\u003e parameter, which lacks proper sanitization. This allows for the upload of arbitrary files with attacker-controlled names to the \u003ccode\u003e/var/www/html/tmp_attach/ChurchCRMBackups/\u003c/code\u003e directory. Successful exploitation leads to remote code execution via overwriting Apache\u0026rsquo;s \u003ccode\u003e.htaccess\u003c/code\u003e configuration files, effectively compromising the web server. Organizations using vulnerable versions of ChurchCRM are at risk of unauthorized access and control of their systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated administrator logs into the ChurchCRM application.\u003c/li\u003e\n\u003cli\u003eThe administrator navigates to the backup restore functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious backup archive containing a crafted \u003ccode\u003e.htaccess\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious backup archive via the restore functionality, exploiting the path traversal vulnerability in \u003ccode\u003esrc/ChurchCRM/Backup/RestoreJob.php\u003c/code\u003e. The \u003ccode\u003e$rawUploadedFile['name']\u003c/code\u003e parameter is manipulated to control the file\u0026rsquo;s destination.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003e.htaccess\u003c/code\u003e file is written to the web server\u0026rsquo;s document root or a sensitive directory, such as \u003ccode\u003e/var/www/html/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe overwritten \u003ccode\u003e.htaccess\u003c/code\u003e file modifies the Apache web server\u0026rsquo;s configuration, potentially enabling PHP execution for arbitrary file types or redirecting requests to attacker-controlled scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses a file (e.g., an image or text file) which is now parsed as PHP code due to the malicious \u003ccode\u003e.htaccess\u003c/code\u003e configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the server, gaining remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to gain complete control of the ChurchCRM web server. This can lead to data breaches, defacement of the website, and the potential to use the compromised server as a launchpad for further attacks within the network. Given the sensitive nature of data often stored in ChurchCRM systems (e.g., personal contact information, financial records), the compromise can have severe consequences for both the organization and its members. While the exact number of vulnerable installations is unknown, the widespread use of ChurchCRM makes this a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ChurchCRM to version 6.5.3 or later to patch the vulnerability described in CVE-2026-35573.\u003c/li\u003e\n\u003cli\u003eImplement strict file upload validation and sanitization to prevent path traversal vulnerabilities in other web applications.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file uploads to \u003ccode\u003e/var/www/html/tmp_attach/ChurchCRMBackups/\u003c/code\u003e directory, looking for unexpected file extensions using the \u0026ldquo;ChurchCRM Suspicious File Upload\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;ChurchCRM .htaccess File Creation\u0026rdquo; Sigma rule to detect the creation of .htaccess files in web directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T18:16:41Z","date_published":"2026-04-07T18:16:41Z","id":"/briefs/2026-04-churchcrm-traversal/","summary":"A path traversal vulnerability in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to upload arbitrary files, leading to remote code execution by overwriting Apache .htaccess files.","title":"ChurchCRM Path Traversal Vulnerability Leading to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-35050"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path traversal","code execution","text-generation-webui"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe text-generation-webui application, an open-source web interface for running Large Language Models, contains a path traversal vulnerability (CVE-2026-35050) in versions prior to 4.1.1. A high-privileged user can exploit this vulnerability by saving extension settings in \u0026ldquo;.py\u0026rdquo; format within the application\u0026rsquo;s root directory. This allows them to overwrite existing Python files, most notably \u0026ldquo;download-model.py\u0026rdquo;. Subsequently, the overwritten \u0026ldquo;download-model.py\u0026rdquo; file can be executed by initiating a new model download through the application\u0026rsquo;s \u0026ldquo;Model\u0026rdquo; menu. Successful exploitation leads to arbitrary code execution within the context of the application. This vulnerability was patched in version 4.1.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the text-generation-webui application with high privileges.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious Python script (e.g., containing reverse shell code).\u003c/li\u003e\n\u003cli\u003eAttacker saves the malicious script as an extension setting in \u0026ldquo;.py\u0026rdquo; format, leveraging path traversal to target the application\u0026rsquo;s root directory. The filename is chosen to overwrite \u0026ldquo;download-model.py\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe application saves the malicious \u0026ldquo;.py\u0026rdquo; file, overwriting the original \u0026ldquo;download-model.py\u0026rdquo; in the application root.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the \u0026ldquo;Model\u0026rdquo; menu within the text-generation-webui.\u003c/li\u003e\n\u003cli\u003eAttacker initiates the download of a new model, triggering the execution of the (now compromised) \u0026ldquo;download-model.py\u0026rdquo; file.\u003c/li\u003e\n\u003cli\u003eThe malicious Python code within \u0026ldquo;download-model.py\u0026rdquo; executes, granting the attacker arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a reverse shell connection to their controlled system, achieving full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35050 allows a high-privileged attacker to achieve arbitrary code execution on the server hosting the text-generation-webui application. This could lead to complete system compromise, data exfiltration, and denial of service. The impact is critical due to the ease of exploitation and the potential for significant damage. Organizations using vulnerable versions of text-generation-webui are at risk of having their systems compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade text-generation-webui to version 4.1.1 or later to patch CVE-2026-35050.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission controls to prevent unauthorized modification of critical application files, mitigating similar path traversal vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual file creation events in the application root directory to detect potential exploitation attempts (see example Sigma rule below targeting file creation in the webserver category).\u003c/li\u003e\n\u003cli\u003eInspect network connections originating from the text-generation-webui server for suspicious outbound connections, which could indicate a reverse shell or other malicious activity resulting from code execution. Deploy the provided Sigma rule to detect such connections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T18:16:42Z","date_published":"2026-04-06T18:16:42Z","id":"/briefs/2026-04-text-generation-webui-path-traversal/","summary":"text-generation-webui versions prior to 4.1.1 are vulnerable to path traversal, allowing a high-privileged user to overwrite Python files and achieve arbitrary code execution by triggering the 'download-model.py' file through the application's 'Model' menu.","title":"text-generation-webui Path Traversal Vulnerability (CVE-2026-35050)","url":"https://feed.craftedsignal.io/briefs/2026-04-text-generation-webui-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-22661"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","file-write","code-execution","cve-2026-22661","prompts.chat","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eprompts.chat, a software application, is vulnerable to a path traversal attack (CVE-2026-22661) in versions prior to commit 0f8d4c3. This vulnerability stems from insufficient server-side validation of filenames within skill file archives. A remote attacker can exploit this by crafting malicious ZIP archives that contain filenames with path traversal sequences (e.g., ../). When a vulnerable prompts.chat instance extracts these archives, the lack of proper sanitization allows the attacker to write files to arbitrary locations on the file system, potentially overwriting critical system files and achieving arbitrary code execution. This poses a significant risk to system integrity and confidentiality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a specially crafted skill file.\u003c/li\u003e\n\u003cli\u003eThe filenames within the ZIP archive include path traversal sequences such as \u003ccode\u003e../\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious ZIP archive to the prompts.chat application.\u003c/li\u003e\n\u003cli\u003eprompts.chat processes the uploaded ZIP archive without properly sanitizing the filenames.\u003c/li\u003e\n\u003cli\u003eThe application extracts the contents of the ZIP archive, writing files to locations specified in the malicious filenames.\u003c/li\u003e\n\u003cli\u003ePath traversal sequences in the filenames allow the attacker to write files outside the intended extraction directory.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites shell initialization files (e.g., \u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.profile\u003c/code\u003e, \u003ccode\u003e.bash_profile\u003c/code\u003e) or other executable files.\u003c/li\u003e\n\u003cli\u003eWhen a user logs in or a new shell is spawned, the overwritten initialization file executes malicious code, granting the attacker arbitrary code execution on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-22661 allows an attacker to write arbitrary files to the client system, leading to potential overwrite of sensitive system files and arbitrary code execution. The vulnerability affects systems running vulnerable versions of prompts.chat. The impact includes complete compromise of the system, data theft, and further propagation of malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch by upgrading to commit 0f8d4c3 or later to remediate CVE-2026-22661.\u003c/li\u003e\n\u003cli\u003eImplement server-side filename validation and sanitization to prevent path traversal attacks when handling ZIP archives within prompts.chat.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences in filenames as identified by the provided rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T12:00:00Z","date_published":"2026-04-04T12:00:00Z","id":"/briefs/2026-04-prompts-chat-traversal/","summary":"A path traversal vulnerability exists in prompts.chat prior to commit 0f8d4c3, allowing attackers to write arbitrary files to the client system by crafting malicious ZIP archives with unsanitized filenames.","title":"prompts.chat Path Traversal Vulnerability (CVE-2026-22661)","url":"https://feed.craftedsignal.io/briefs/2026-04-prompts-chat-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","file-deletion","goshs"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe goshs application, a simple static file server written in Go, is vulnerable to a path traversal vulnerability (CVE-2026-35471). This flaw exists within the \u003ccode\u003edeleteFile\u003c/code\u003e function (\u003ccode\u003ehttpserver/handler.go\u003c/code\u003e) due to a missing \u003ccode\u003ereturn\u003c/code\u003e statement after a check for path traversal attempts using \u003ccode\u003e..\u003c/code\u003e. Specifically, if a request contains double-encoded path traversal sequences (e.g., \u003ccode\u003e%252e%252e\u003c/code\u003e), the check fails to prevent subsequent file deletion. This vulnerability, present in versions prior to 1.1.5-0.20260401172448-237f3af891a9, allows an unauthenticated attacker to delete arbitrary files and directories on the server. The vulnerability affects default configurations of goshs, requiring no authentication or specific flags to be set.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a goshs instance running a vulnerable version (prior to 1.1.5-0.20260401172448-237f3af891a9).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a GET request to a file path containing double-encoded path traversal sequences (\u003ccode\u003e%252e%252e\u003c/code\u003e) to bypass the path traversal check in \u003ccode\u003edeleteFile()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe GET request includes the \u003ccode\u003e?delete\u003c/code\u003e parameter to trigger the file deletion logic.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edeleteFile()\u003c/code\u003e function receives the request and decodes the path, but the missing \u003ccode\u003ereturn\u003c/code\u003e after the path traversal check allows the execution to continue.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eos.RemoveAll()\u003c/code\u003e function is called with the manipulated path, leading to the deletion of arbitrary files or directories outside the intended webroot.\u003c/li\u003e\n\u003cli\u003eThe server responds with HTTP status code 200, even if the file deletion was successful or resulted in an error.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the deletion of the targeted file/directory.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability allows an unauthenticated attacker to delete any file or directory accessible to the goshs process. This could lead to data loss, system instability, or complete compromise of the server if critical system files are deleted. While the exact number of vulnerable instances is unknown, any organization using goshs versions prior to 1.1.5-0.20260401172448-237f3af891a9 is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to goshs version 1.1.5-0.20260401172448-237f3af891a9 or later to patch CVE-2026-35471.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect goshs Path Traversal Attempt via URL Encoding\u0026rdquo; to identify ongoing exploitation attempts based on double-encoded path traversal sequences in HTTP requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for GET requests containing double-encoded \u0026ldquo;..\u0026rdquo; sequences and the \u0026ldquo;?delete\u0026rdquo; parameter, indicative of exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T12:00:00Z","date_published":"2026-04-04T12:00:00Z","id":"/briefs/2026-04-goshs-path-traversal/","summary":"The goshs application is vulnerable to unauthenticated path traversal (CVE-2026-35471) due to a missing return statement in the `deleteFile()` function, allowing attackers to delete arbitrary files and directories using a crafted GET request.","title":"goshs Unauthenticated Arbitrary File Deletion via Path Traversal","url":"https://feed.craftedsignal.io/briefs/2026-04-goshs-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["zip-slip","path-traversal","code-marketplace","persistence"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA Zip Slip vulnerability (CVE-2026-35454) exists in the Coder code-marketplace application, specifically in versions up to 2.4.1. The vulnerability stems from improper sanitization of zip entry names during VSIX file extraction, which allows an attacker to write files to arbitrary locations on the server. This flaw, discovered by Kandlaguduru Vamsi and detailed in GHSA-8x9r-hvwg-c55h, can be exploited by any authenticated user with upload privileges. Successful exploitation could lead to persistence via cron/init injection, SSH key injection, \u003ccode\u003eld.so.preload\u003c/code\u003e hijacking, or binary overwrite. The vulnerability was patched in version 2.4.2. Defenders should upgrade to the latest version of the code-marketplace application to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user with upload privileges logs into the code-marketplace application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious VSIX file containing zip entries with path traversal sequences (e.g., \u0026ldquo;../../../etc/cron.d/evil\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious VSIX file through the application\u0026rsquo;s extension upload functionality.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eExtractZip\u003c/code\u003e function processes the uploaded VSIX file without proper sanitization of zip entry names.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efilepath.Join\u003c/code\u003e function constructs the output path using the unsanitized zip entry name and a base directory.\u003c/li\u003e\n\u003cli\u003ePath traversal sequences like \u003ccode\u003e..\u003c/code\u003e are resolved by \u003ccode\u003efilepath.Clean\u003c/code\u003e, but the resulting path is not checked against the intended base directory, allowing it to escape.\u003c/li\u003e\n\u003cli\u003eThe application writes the extracted file to an attacker-controlled location on the server\u0026rsquo;s file system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, privilege escalation, or arbitrary code execution by overwriting critical system files or injecting malicious code into system configurations like cron jobs or SSH authorized keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this Zip Slip vulnerability allows attackers to write arbitrary files to the underlying system. An attacker can achieve persistence by injecting malicious cron jobs or modifying system initialization scripts. Privilege escalation is possible via SSH key injection or by overwriting binaries with malicious versions. The impact ranges from system compromise to data exfiltration and denial of service. While the number of victims is unknown, any organization using vulnerable versions of the Coder code-marketplace application is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the coder/code-marketplace application to version 2.4.2 or later to remediate CVE-2026-35454.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on critical system directories (e.g., /etc/cron.d, /root/.ssh) using a file_event log source to detect unauthorized file modifications.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious File Creation in Sensitive Directories\u0026rdquo; to detect potential exploitation attempts based on file creation events.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging and deploy the provided Sigma rule \u0026ldquo;Detect VSIX Uploads with Path Traversal\u0026rdquo; to identify suspicious VSIX uploads containing path traversal sequences based on request parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T06:29:50Z","date_published":"2026-04-04T06:29:50Z","id":"/briefs/2026-06-code-marketplace-zip-slip/","summary":"A Zip Slip vulnerability in coder/code-marketplace allows authenticated users to upload malicious VSIX files containing path traversal entries, leading to arbitrary file writes outside the extension directory and potentially enabling persistence.","title":"Coder Code-Marketplace Zip Slip Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-06-code-marketplace-zip-slip/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-34607"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","remote-code-execution","emlog","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eEmlog, an open-source website building system, is vulnerable to a critical path traversal vulnerability (CVE-2026-34607) affecting versions 2.6.2 and earlier. This flaw resides within the \u003ccode\u003eemUnZip()\u003c/code\u003e function located in \u003ccode\u003einclude/lib/common.php:793\u003c/code\u003e. The vulnerability stems from the function\u0026rsquo;s failure to sanitize ZIP entry names during extraction of ZIP archives, such as those used for plugin/template uploads or backup imports. An authenticated administrator can exploit this by uploading a specially crafted ZIP file containing entries with \u0026ldquo;../\u0026rdquo; sequences. This allows the attacker to write arbitrary files to the server\u0026rsquo;s file system, potentially including PHP webshells, ultimately leading to Remote Code Execution (RCE). At the time of this writing, there are no publicly available patches to address this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates as an administrator in the Emlog application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a file with a path traversal sequence (e.g., \u003ccode\u003e../../../../shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted ZIP archive via a plugin/template upload or backup import feature.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eemUnZip()\u003c/code\u003e function is invoked, which extracts the contents of the ZIP archive.\u003c/li\u003e\n\u003cli\u003eDue to the lack of sanitization, the \u003ccode\u003eextractTo()\u003c/code\u003e function writes the malicious file to an arbitrary location on the server\u0026rsquo;s filesystem, as dictated by the path traversal sequence.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a PHP webshell to a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded PHP webshell through a web browser (e.g., \u003ccode\u003ehttp://example.com/shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the server via the webshell, achieving Remote Code Execution (RCE).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain complete control over the affected Emlog server. This can lead to data breaches, website defacement, malware distribution, or further attacks against other systems on the network. Given that Emlog is used by numerous websites, the potential impact could be widespread, affecting potentially hundreds or thousands of websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for Emlog as soon as they are released to address CVE-2026-34607.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures within the \u003ccode\u003eemUnZip()\u003c/code\u003e function to prevent path traversal attacks. Specifically, sanitize ZIP entry names before passing them to the \u003ccode\u003eextractTo()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to PHP files in unusual directories (e.g., outside the webroot) after ZIP archive uploads, using the provided Sigma rule for webserver logs.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect process creation from web server processes to identify potential webshell execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T23:17:04Z","date_published":"2026-04-03T23:17:04Z","id":"/briefs/2024-01-emlog-rce/","summary":"Emlog versions 2.6.2 and prior are vulnerable to path traversal via crafted ZIP uploads, allowing authenticated admins to write arbitrary files and achieve remote code execution.","title":"Emlog Path Traversal Vulnerability Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-emlog-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-35214"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","vulnerability","budibase"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBudibase, an open-source low-code platform, is vulnerable to a path traversal attack in versions prior to 3.33.4. This flaw resides in the plugin file upload endpoint (POST /api/plugin/upload), where the user-supplied filename is passed unsanitized to createTempFolder(). An attacker with Global Builder privileges can exploit this by crafting a multipart upload containing \u0026ldquo;../\u0026rdquo; sequences in the filename. This allows them to manipulate file paths, leading to arbitrary directory deletion via rmSync and arbitrary file write via tarball extraction. The attacker can write files to any filesystem path accessible by the Node.js process running Budibase. This vulnerability has been patched in version 3.33.4, and organizations using older versions are at risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains Global Builder privileges within a vulnerable Budibase instance (version \u0026lt; 3.33.4).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a multipart upload request targeting the \u003ccode\u003e/api/plugin/upload\u003c/code\u003e endpoint (POST request).\u003c/li\u003e\n\u003cli\u003eWithin the multipart form data, the attacker includes a filename parameter.\u003c/li\u003e\n\u003cli\u003eThe filename parameter contains path traversal sequences such as \u0026ldquo;../\u0026rdquo; to manipulate the file path.\u003c/li\u003e\n\u003cli\u003eThe Budibase application passes the unsanitized filename to the \u003ccode\u003ecreateTempFolder()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe manipulated path is then used in subsequent file system operations, such as \u003ccode\u003ermSync\u003c/code\u003e (for deleting directories) and tarball extraction.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003ermSync\u003c/code\u003e with the manipulated path to delete arbitrary directories on the server.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker leverages tarball extraction to write arbitrary files to arbitrary locations on the server, leading to potential code execution or data compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker with Global Builder privileges to perform arbitrary file system operations on the Budibase server. This includes the ability to delete arbitrary directories, potentially causing denial of service, and write arbitrary files, potentially leading to remote code execution. The impact is significant as it could allow for complete system compromise if the attacker can overwrite critical system files or deploy malicious code. This is especially dangerous for organizations relying on Budibase for critical business applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Budibase to version 3.33.4 or later to patch the CVE-2026-35214 vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/api/plugin/upload\u003c/code\u003e endpoint containing filenames with \u0026ldquo;../\u0026rdquo; sequences using the Sigma rule provided.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit the number of users with Global Builder privileges within Budibase.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T16:16:41Z","date_published":"2026-04-03T16:16:41Z","id":"/briefs/2024-05-budibase-traversal/","summary":"A path traversal vulnerability exists in Budibase versions prior to 3.33.4, allowing attackers with Global Builder privileges to delete arbitrary directories and write arbitrary files via crafted plugin uploads.","title":"Budibase Path Traversal Vulnerability in Plugin Upload","url":"https://feed.craftedsignal.io/briefs/2024-05-budibase-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4350"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4350","wordpress","perfmatters","file-deletion","path-traversal"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Perfmatters plugin, a popular WordPress performance optimization tool, contains a critical vulnerability (CVE-2026-4350) affecting versions up to and including 2.5.9.1. This flaw enables authenticated attackers with Subscriber-level access, the lowest privilege level in WordPress, to delete arbitrary files on the server. The vulnerability stems from the \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method\u0026rsquo;s failure to sanitize the \u003ccode\u003e$_GET['delete']\u003c/code\u003e parameter. This lack of validation allows for path traversal attacks using sequences like \u003ccode\u003e../\u003c/code\u003e, enabling attackers to navigate outside the intended storage directory and delete any accessible file. Successful exploitation can lead to the deletion of critical files such as \u003ccode\u003ewp-config.php\u003c/code\u003e, effectively disabling the website and potentially allowing a full site takeover.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress site using a vulnerable version (\u0026lt;=2.5.9.1) of the Perfmatters plugin.\u003c/li\u003e\n\u003cli\u003eAttacker gains Subscriber-level access to the WordPress site. This can be achieved through registration or compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET request targeting the WordPress site. The request includes the \u003ccode\u003edelete\u003c/code\u003e parameter with a path traversal payload. For example: \u003ccode\u003e?delete=../../../../wp-config.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method within the Perfmatters plugin.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method processes the unsanitized \u003ccode\u003e$_GET['delete']\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe plugin concatenates the malicious path with the storage directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function executes, deleting the file specified by the attacker\u0026rsquo;s path traversal payload.\u003c/li\u003e\n\u003cli\u003eIf the attacker successfully deletes \u003ccode\u003ewp-config.php\u003c/code\u003e, the WordPress site becomes inaccessible and redirects to the installation wizard, potentially allowing for complete site takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4350 allows attackers to delete arbitrary files on a vulnerable WordPress server. A key target is \u003ccode\u003ewp-config.php\u003c/code\u003e, which contains sensitive database credentials. Deleting this file forces WordPress into the installation wizard, potentially leading to a full site takeover. The impact ranges from defacement and data loss to complete control of the website, impacting businesses, organizations, and individuals relying on WordPress for their online presence. The ease of exploitation due to the low privilege requirements makes this a high-risk vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Perfmatters plugin to the latest version to patch CVE-2026-4350.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eDetect Perfmatters Arbitrary File Deletion Attempt\u003c/code\u003e to identify potential exploitation attempts based on \u003ccode\u003ecs-uri-query\u003c/code\u003e in web server logs.\u003c/li\u003e\n\u003cli\u003eConsider implementing rate limiting on requests to \u003ccode\u003ewp-admin/options.php\u003c/code\u003e to mitigate potential brute-force exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for unusual patterns in \u003ccode\u003ecs-uri-query\u003c/code\u003e parameters containing \u003ccode\u003e../\u003c/code\u003e sequences, as these may indicate path traversal attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T08:16:17Z","date_published":"2026-04-03T08:16:17Z","id":"/briefs/2026-04-perfmatters-file-deletion/","summary":"The Perfmatters plugin for WordPress versions up to 2.5.9.1 is vulnerable to arbitrary file deletion via path traversal, allowing authenticated attackers with minimal privileges to delete sensitive files.","title":"Perfmatters WordPress Plugin Arbitrary File Deletion Vulnerability (CVE-2026-4350)","url":"https://feed.craftedsignal.io/briefs/2026-04-perfmatters-file-deletion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-34790"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","path-traversal","file-deletion","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eEndian Firewall, a security-focused Linux distribution designed for gateway security, is vulnerable to a path traversal attack. Specifically, versions 3.3.25 and earlier are affected by CVE-2026-34790. An authenticated user, with low-level privileges, can exploit this vulnerability to delete arbitrary files on the system. The flaw resides in the \u003ccode\u003e/cgi-bin/backup.cgi\u003c/code\u003e script where the \u003ccode\u003eremove ARCHIVE\u003c/code\u003e parameter is not properly sanitized. This allows an attacker to inject directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) into the file path, bypassing intended restrictions. This can lead to deletion of sensitive files, potentially disrupting system operations or facilitating further malicious activities. The vulnerability was reported in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Endian Firewall web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting \u003ccode\u003e/cgi-bin/backup.cgi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eremove ARCHIVE\u003c/code\u003e parameter with a payload containing directory traversal sequences (e.g., \u003ccode\u003e../../../../etc/shadow\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/cgi-bin/backup.cgi\u003c/code\u003e script receives the request and constructs a file path using the unsanitized \u003ccode\u003eremove ARCHIVE\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe script calls the \u003ccode\u003eunlink()\u003c/code\u003e function with the attacker-controlled file path.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function deletes the file specified by the manipulated path.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats this process to delete other critical system files.\u003c/li\u003e\n\u003cli\u003eThis can lead to a denial-of-service condition, data loss, or the potential for further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to delete arbitrary files on the Endian Firewall system. This can result in a denial-of-service (DoS) condition if critical system files are removed. An attacker may target configuration files, logs, or even binaries, leading to system instability or the disabling of security features. The number of potential victims is dependent on the number of Endian Firewall deployments running vulnerable versions (3.3.25 and prior). Given that Endian Firewall is often used in small to medium-sized businesses, the impact could range from disruption of network services to potential data breaches, depending on the specific files targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a version of Endian Firewall that addresses CVE-2026-34790 to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/cgi-bin/backup.cgi\u003c/code\u003e containing directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..\\\\\u003c/code\u003e) in the \u003ccode\u003eremove ARCHIVE\u003c/code\u003e parameter using the provided Sigma rule \u0026ldquo;Detect Endian Firewall Path Traversal Attempt\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all user-supplied input, especially within CGI scripts like \u003ccode\u003e/cgi-bin/backup.cgi\u003c/code\u003e, to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eRestrict access to the Endian Firewall web interface to trusted networks or users and enforce strong authentication measures.\u003c/li\u003e\n\u003cli\u003eRegularly back up the Endian Firewall configuration and critical system files to mitigate the impact of potential data loss due to successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T15:16:42Z","date_published":"2026-04-02T15:16:42Z","id":"/briefs/2026-04-endian-traversal/","summary":"Endian Firewall versions 3.3.25 and prior allow authenticated users to delete arbitrary files due to a path traversal vulnerability in the `remove ARCHIVE` parameter of the `/cgi-bin/backup.cgi` script, leading to unauthorized file system modification.","title":"Endian Firewall Arbitrary File Deletion via Path Traversal (CVE-2026-34790)","url":"https://feed.craftedsignal.io/briefs/2026-04-endian-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","sillytavern"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSillyTavern, a local web UI for large language models, is vulnerable to a path traversal attack. This vulnerability, affecting versions 1.16.0 and earlier, stems from insufficient input validation in the \u003ccode\u003eavatar_url\u003c/code\u003e parameter of the \u003ccode\u003e/api/chats/export\u003c/code\u003e and \u003ccode\u003e/api/chats/delete\u003c/code\u003e endpoints. An authenticated attacker can exploit this flaw to read or delete arbitrary files within the user\u0026rsquo;s data directory. The vulnerability exists because the application fails to adequately sanitize path traversal sequences like \u003ccode\u003e..\u003c/code\u003e when constructing file paths. This can lead to the exposure of sensitive information such as \u003ccode\u003esecrets.json\u003c/code\u003e and \u003ccode\u003esettings.json\u003c/code\u003e, or the deletion of crucial user data, particularly in multi-user or remotely-accessible deployments. The vulnerability was patched in version 1.17.0 and assigned CVE-2026-34524.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the SillyTavern application using valid credentials, obtaining a session cookie and CSRF token.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/api/chats/export\u003c/code\u003e or \u003ccode\u003e/api/chats/delete\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eavatar_url\u003c/code\u003e parameter in the request body to a path traversal sequence, such as \u003ccode\u003e..\u003c/code\u003e, to navigate outside the intended \u0026ldquo;chats\u0026rdquo; directory.\u003c/li\u003e\n\u003cli\u003eIn the \u003ccode\u003e/api/chats/export\u003c/code\u003e endpoint, the attacker specifies the \u003ccode\u003efile\u003c/code\u003e parameter to point to the desired file to read, such as \u003ccode\u003esecrets.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server-side application uses \u003ccode\u003epath.join\u003c/code\u003e to concatenate the user\u0026rsquo;s chats directory with the attacker-controlled \u003ccode\u003eavatar_url\u003c/code\u003e and \u003ccode\u003efile\u003c/code\u003e parameters, resulting in path traversal.\u003c/li\u003e\n\u003cli\u003eThe application reads the contents of the file specified by the attacker.\u003c/li\u003e\n\u003cli\u003eIn the \u003ccode\u003e/api/chats/delete\u003c/code\u003e endpoint, the attacker specifies the \u003ccode\u003echatfile\u003c/code\u003e parameter to point to the desired file to delete, such as \u003ccode\u003esettings.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application deletes the file specified by the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have significant consequences. Attackers can gain unauthorized access to sensitive configuration files like \u003ccode\u003esecrets.json\u003c/code\u003e, potentially exposing API keys, passwords, and other confidential information. Furthermore, the ability to delete arbitrary files allows attackers to disrupt the application\u0026rsquo;s functionality or even render a user\u0026rsquo;s account unusable by deleting critical files such as \u003ccode\u003esettings.json\u003c/code\u003e. The risk is amplified in multi-user environments or remotely-accessible deployments, where the impact can extend to multiple users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to SillyTavern version 1.17.0 or later to patch CVE-2026-34524.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SillyTavern Path Traversal Attempt via API Export\u0026rdquo; to detect attempts to exploit the \u003ccode\u003e/api/chats/export\u003c/code\u003e endpoint by monitoring for path traversal sequences in the \u003ccode\u003ecs-uri-query\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SillyTavern Path Traversal Attempt via API Delete\u0026rdquo; to detect attempts to exploit the \u003ccode\u003e/api/chats/delete\u003c/code\u003e endpoint by monitoring for path traversal sequences in the \u003ccode\u003ecs-uri-query\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for unusual requests to \u003ccode\u003e/api/chats/export\u003c/code\u003e or \u003ccode\u003e/api/chats/delete\u003c/code\u003e with suspicious \u003ccode\u003eavatar_url\u003c/code\u003e parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T12:00:00Z","date_published":"2026-04-02T12:00:00Z","id":"/briefs/2026-04-sillytavern-path-traversal/","summary":"A path traversal vulnerability in SillyTavern versions 1.16.0 and earlier allows an authenticated attacker to read and delete arbitrary files under their user data root by manipulating the avatar_url parameter in the `/api/chats/export` and `/api/chats/delete` endpoints.","title":"SillyTavern Path Traversal Vulnerability in Chat Endpoints","url":"https://feed.craftedsignal.io/briefs/2026-04-sillytavern-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","tina-cms","CVE-2026-34603"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eTina CMS, a headless content management system, is susceptible to a path traversal vulnerability in versions prior to 2.2.2. The vulnerability, identified as CVE-2026-34603, stems from insufficient validation of symlink and junction targets within the \u003ccode\u003e@tinacms/cli\u003c/code\u003e media routes. Although lexical path-traversal checks were implemented, they only validate the path string without resolving symlinks or junctions. This flaw enables attackers to bypass intended security measures and perform unauthorized file system operations, potentially leading to sensitive data exposure or system compromise. This vulnerability has been addressed in version 2.2.2. Defenders should prioritize upgrading to the patched version to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Tina CMS instance running a version prior to 2.2.2.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting a media route.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a path containing a symlink or junction pointing outside the intended media root directory (e.g., \u003ccode\u003epivot/written-from-media.txt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eTina CMS validates the path string but fails to resolve the symlink or junction.\u003c/li\u003e\n\u003cli\u003eThe application incorrectly determines that the path is within the allowed media directory.\u003c/li\u003e\n\u003cli\u003eThe application performs file system operations (listing, writing, or deleting) based on the attacker-supplied path.\u003c/li\u003e\n\u003cli\u003eThe file system operation is executed outside the intended media root due to the resolved symlink or junction.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to sensitive files or directories, potentially leading to data exfiltration, modification, or deletion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34603 can lead to unauthorized access to sensitive files and directories on the server hosting Tina CMS. An attacker could list, read, write, or delete files outside the intended media root, potentially leading to data exfiltration, website defacement, or even complete system compromise. The impact is particularly significant if the affected server stores sensitive information or is critical to business operations. The number of potential victims is currently unknown, but any organization using vulnerable versions of Tina CMS is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Tina CMS to version 2.2.2 or later to patch CVE-2026-34603.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to detect and block suspicious requests containing path traversal sequences targeting media routes.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for unusual file access patterns and path traversal attempts. Deploy the provided Sigma rule to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T17:28:41Z","date_published":"2026-04-01T17:28:41Z","id":"/briefs/2026-04-tina-cms-path-traversal/","summary":"Tina CMS versions before 2.2.2 are vulnerable to a path traversal attack that allows unauthorized file system access due to insufficient validation of symlinks and junction targets in media routes.","title":"Tina CMS Path Traversal Vulnerability (CVE-2026-34603)","url":"https://feed.craftedsignal.io/briefs/2026-04-tina-cms-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5258"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path traversal","cve-2026-5258","web application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSanster IOPaint version 1.5.3 is vulnerable to a path traversal flaw (CVE-2026-5258) within its File Manager component. The vulnerability resides in the \u003ccode\u003e_get_file\u003c/code\u003e function located in \u003ccode\u003eiopaint/file_manager/file_manager.py\u003c/code\u003e. By crafting a malicious request and manipulating the \u003ccode\u003efilename\u003c/code\u003e argument, an unauthenticated attacker can bypass directory restrictions and potentially read sensitive files on the server. Publicly available exploits exist, increasing the urgency for patching or mitigating this vulnerability. The vendor was notified but did not respond.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Sanster IOPaint 1.5.3 instance running a vulnerable server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the file retrieval endpoint of the \u003ccode\u003eFile Manager\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker manipulates the \u003ccode\u003efilename\u003c/code\u003e parameter to include path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..%2f\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server-side application, specifically the \u003ccode\u003e_get_file\u003c/code\u003e function in \u003ccode\u003eiopaint/file_manager/file_manager.py\u003c/code\u003e, receives the request with the tainted \u003ccode\u003efilename\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to insufficient input validation and sanitization, the application incorrectly constructs the file path.\u003c/li\u003e\n\u003cli\u003eThe application attempts to read a file from a location outside the intended directory, based on the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eIf successful, the application returns the contents of the arbitrary file in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the content of the targeted file, potentially containing sensitive information or configuration data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability (CVE-2026-5258) allows an attacker to read arbitrary files on the server hosting Sanster IOPaint. This can lead to the disclosure of sensitive information, such as application source code, configuration files containing database credentials, or user data. The impact depends on the permissions of the user account running the application. If the application runs with elevated privileges, the attacker may be able to access system-level files, potentially leading to further compromise of the server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect IOPaint Path Traversal Attempt\u003c/code\u003e to detect exploitation attempts based on suspicious URL encoding in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization on the \u003ccode\u003efilename\u003c/code\u003e parameter within the \u003ccode\u003e_get_file\u003c/code\u003e function to prevent path traversal attacks as described in CVE-2026-5258.\u003c/li\u003e\n\u003cli\u003eConsider using a web application firewall (WAF) with rules designed to block path traversal attempts.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Sanster IOPaint as soon as one becomes available to remediate CVE-2026-5258.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T07:16:02Z","date_published":"2026-04-01T07:16:02Z","id":"/briefs/2026-04-iopaint-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-5258) exists in Sanster IOPaint 1.5.3, allowing remote attackers to read arbitrary files by manipulating the filename argument in the _get_file function within the File Manager component.","title":"Sanster IOPaint Path Traversal Vulnerability (CVE-2026-5258)","url":"https://feed.craftedsignal.io/briefs/2026-04-iopaint-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2025-10559"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","delmia","cve-2025-10559"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-10559 is a critical path traversal vulnerability found in the DELMIA Factory Resource Manager, impacting versions from 3DEXPERIENCE R2023x to R2025x. This vulnerability allows an attacker with low-level privileges (authenticated user) to manipulate file paths and potentially read or write arbitrary files within specific directories on the server. This can be exploited to read sensitive configuration files, overwrite critical system files, or potentially achieve remote code execution…\u003c/p\u003e\n","date_modified":"2026-03-31T09:16:21Z","date_published":"2026-03-31T09:16:21Z","id":"/briefs/2026-03-delmia-path-traversal/","summary":"CVE-2025-10559 is a path traversal vulnerability in DELMIA Factory Resource Manager, affecting versions 3DEXPERIENCE R2023x through R2025x, which allows an attacker with low privileges to read or write files in specific directories on the server, potentially leading to information disclosure or code execution.","title":"DELMIA Factory Resource Manager Path Traversal Vulnerability (CVE-2025-10559)","url":"https://feed.craftedsignal.io/briefs/2026-03-delmia-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-32727"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["scitokens","path-traversal","cve-2026-32727","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe SciTokens library, a reference implementation for generating and using SciTokens, is susceptible to a path traversal vulnerability affecting versions prior to 1.9.7. This vulnerability, identified as CVE-2026-32727, stems from the library\u0026rsquo;s Enforcer component. An attacker can exploit this flaw by crafting a malicious token containing a scope claim with \u0026ldquo;dot-dot\u0026rdquo; (..) sequences. These sequences allow the attacker to navigate outside the intended directory restriction, potentially accessing…\u003c/p\u003e\n","date_modified":"2026-03-31T03:15:57Z","date_published":"2026-03-31T03:15:57Z","id":"/briefs/2024-01-23-scitokens-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-32727) in SciTokens library versions prior to 1.9.7 allows attackers to bypass intended directory restrictions using dot-dot sequences in the scope claim of a token due to improper path normalization.","title":"SciTokens Library Path Traversal Vulnerability (CVE-2026-32727)","url":"https://feed.craftedsignal.io/briefs/2024-01-23-scitokens-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","graphql","tinacms","arbitrary-file-write"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in versions 2.2.1 and earlier of \u003ccode\u003e@tinacms/graphql\u003c/code\u003e, a GraphQL API for TinaCMS. This flaw enables unauthenticated attackers to write and overwrite arbitrary files within the project root directory. The vulnerability stems from insufficient validation of the \u003ccode\u003erelativePath\u003c/code\u003e parameter within GraphQL mutations. By exploiting this weakness, attackers can overwrite critical server configuration files like \u003ccode\u003epackage.json\u003c/code\u003e and \u003ccode\u003etsconfig.json\u003c/code\u003e, inject malicious scripts into the \u003ccode\u003epublic/\u003c/code\u003e directory, and even achieve arbitrary code execution by modifying build scripts or server-side logic files. This vulnerability poses a significant risk to systems utilizing vulnerable versions of \u003ccode\u003e@tinacms/graphql\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a TinaCMS instance running a vulnerable version of \u003ccode\u003e@tinacms/graphql\u003c/code\u003e (\u0026lt;= 2.2.1).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GraphQL mutation request targeting the \u003ccode\u003eupdateDocument\u003c/code\u003e mutation.\u003c/li\u003e\n\u003cli\u003eWithin the mutation, the attacker manipulates the \u003ccode\u003erelativePath\u003c/code\u003e parameter to include a path traversal sequence, such as \u003ccode\u003ex\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\package.json\u003c/code\u003e. The backslashes are misinterpreted on non-Windows systems.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003egetValidatedPath\u003c/code\u003e function fails to properly sanitize the malicious path due to the backslash bypass on non-Windows platforms.\u003c/li\u003e\n\u003cli\u003eThe request is processed, and the server attempts to write to the attacker-specified file path.\u003c/li\u003e\n\u003cli\u003eThe file system API resolves the path traversal sequence, leading to a write operation outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites a critical file, such as \u003ccode\u003epackage.json\u003c/code\u003e, with malicious content.\u003c/li\u003e\n\u003cli\u003eThe server or build process executes the modified file, resulting in arbitrary code execution or other malicious behavior.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to perform arbitrary file writes, leading to several critical consequences. Attackers can overwrite server configuration files, inject malicious scripts for client-side attacks, and achieve arbitrary code execution by modifying build scripts or server-side logic. The impact ranges from denial of service to complete system compromise. While the exact number of affected systems is unknown, all TinaCMS instances running \u003ccode\u003e@tinacms/graphql\u003c/code\u003e version 2.2.1 or earlier are susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@tinacms/graphql\u003c/code\u003e to a patched version (later than 2.2.1) to remediate CVE-2026-33949.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect TinaCMS GraphQL Path Traversal Attempt\u003c/code\u003e to identify attempted exploitation of the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/graphql\u003c/code\u003e endpoint containing suspicious \u003ccode\u003erelativePath\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for file paths within GraphQL mutations, regardless of the underlying operating system.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T17:11:02Z","date_published":"2026-03-30T17:11:02Z","id":"/briefs/2026-04-tinacms-path-traversal/","summary":"A path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root by manipulating the relativePath parameter in GraphQL mutations, leading to potential arbitrary code execution.","title":"TinaCMS GraphQL Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tinacms-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-2328 is a critical vulnerability that allows an unauthenticated remote attacker to perform path traversal attacks due to insufficient input validation. This flaw enables unauthorized access to backend components, potentially exposing sensitive information. The vulnerability was published on March 30, 2026, and assigned a CVSS v3.1 score of 7.5. The vulnerability stems from inadequate input sanitization, permitting attackers to manipulate file paths and access restricted areas of the…\u003c/p\u003e\n","date_modified":"2026-03-30T08:16:17Z","date_published":"2026-03-30T08:16:17Z","id":"/briefs/2026-03-path-traversal/","summary":"CVE-2026-2328 describes a vulnerability where an unauthenticated remote attacker can exploit insufficient input validation to access backend components beyond their intended scope via path traversal, leading to the exposure of sensitive information.","title":"CVE-2026-2328 Unauthenticated Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["langchain","path-traversal","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple path traversal vulnerabilities have been identified within the \u003ccode\u003elangchain-core\u003c/code\u003e package, specifically affecting the legacy \u003ccode\u003eload_prompt\u003c/code\u003e, \u003ccode\u003eload_prompt_from_config\u003c/code\u003e, and \u003ccode\u003e.save()\u003c/code\u003e methods. These vulnerabilities stem from a lack of validation on file paths embedded within deserialized configuration dictionaries. An attacker who can influence or control the prompt configuration supplied to these functions can exploit this flaw to read arbitrary files on the host filesystem. The scope is constrained by file extension checks, limiting readable files to \u003ccode\u003e.txt\u003c/code\u003e for templates and \u003ccode\u003e.json\u003c/code\u003e or \u003ccode\u003e.yaml\u003c/code\u003e for examples. This issue impacts applications that accept prompt configurations from untrusted sources, such as low-code AI builders and API wrappers exposing \u003ccode\u003eload_prompt_from_config()\u003c/code\u003e. The vulnerable code resides within \u003ccode\u003elangchain_core/prompts/loading.py\u003c/code\u003e in the \u003ccode\u003e_load_template()\u003c/code\u003e, \u003ccode\u003e_load_examples()\u003c/code\u003e, and \u003ccode\u003e_load_few_shot_prompt()\u003c/code\u003e functions. This vulnerability is resolved in \u003ccode\u003elangchain-core\u003c/code\u003e version 1.2.22, and the affected functions are now deprecated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an application using the vulnerable \u003ccode\u003elangchain-core\u003c/code\u003e library and the legacy \u003ccode\u003eload_prompt_from_config()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious prompt configuration dictionary containing a \u003ccode\u003etemplate_path\u003c/code\u003e, \u003ccode\u003esuffix_path\u003c/code\u003e, \u003ccode\u003eprefix_path\u003c/code\u003e, \u003ccode\u003eexamples\u003c/code\u003e, or \u003ccode\u003eexample_prompt_path\u003c/code\u003e key with a path traversal sequence (e.g., \u003ccode\u003e../../etc/passwd\u003c/code\u003e) or an absolute path (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious configuration into the application, potentially via a low-code AI builder or an API endpoint that accepts prompt configurations.\u003c/li\u003e\n\u003cli\u003eThe application deserializes the malicious configuration dictionary and passes it to \u003ccode\u003eload_prompt_from_config()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eload_prompt_from_config()\u003c/code\u003e calls the relevant vulnerable function (\u003ccode\u003e_load_template()\u003c/code\u003e, \u003ccode\u003e_load_examples()\u003c/code\u003e, or \u003ccode\u003e_load_few_shot_prompt()\u003c/code\u003e) based on the configuration.\u003c/li\u003e\n\u003cli\u003eThe vulnerable function reads the file specified in the malicious path without proper validation.\u003c/li\u003e\n\u003cli\u003eThe contents of the file are then incorporated into a prompt object.\u003c/li\u003e\n\u003cli\u003eThe application, believing the prompt is benign, processes it further, potentially disclosing the file contents to the attacker via an error message, logging, or other output channels.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to read arbitrary files on the system, potentially exposing sensitive information. This includes cloud-mounted secrets (e.g., \u003ccode\u003e/mnt/secrets/api_key.txt\u003c/code\u003e), configuration files (e.g., \u003ccode\u003erequirements.txt\u003c/code\u003e), cloud credentials (e.g., \u003ccode\u003e~/.docker/config.json\u003c/code\u003e), Kubernetes manifests, CI/CD configurations, and application settings. The impact is especially severe in applications that handle sensitive data or operate in cloud environments. While no victim numbers are available, any application using the vulnerable \u003ccode\u003elangchain-core\u003c/code\u003e versions is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003elangchain-core\u003c/code\u003e to version 1.2.22 or later to patch CVE-2026-34070.\u003c/li\u003e\n\u003cli\u003eMigrate away from the deprecated \u003ccode\u003eload_prompt\u003c/code\u003e, \u003ccode\u003eload_prompt_from_config\u003c/code\u003e, and \u003ccode\u003e.save()\u003c/code\u003e methods in favor of the \u003ccode\u003edumpd\u003c/code\u003e/\u003ccode\u003edumps\u003c/code\u003e/\u003ccode\u003eload\u003c/code\u003e/\u003ccode\u003eloads\u003c/code\u003e serialization APIs in \u003ccode\u003elangchain_core.load\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf you cannot immediately upgrade, sanitize user-supplied prompt configurations to prevent path traversal by rejecting absolute paths and paths containing \u003ccode\u003e..\u003c/code\u003e sequences.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;LangChain Path Traversal Attempt\u0026rdquo; to detect attempts to exploit this vulnerability by monitoring process creations involving \u003ccode\u003epython\u003c/code\u003e and path traversal sequences in command line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T10:00:00Z","date_published":"2026-03-28T10:00:00Z","id":"/briefs/2026-03-langchain-path-traversal/","summary":"A path traversal vulnerability in LangChain Core's legacy `load_prompt` functions allows attackers to read arbitrary files by injecting malicious paths into prompt configurations.","title":"LangChain Core Path Traversal Vulnerability in Legacy APIs","url":"https://feed.craftedsignal.io/briefs/2026-03-langchain-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","file-write","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003e@mobilenext/mobile-mcp\u003c/code\u003e npm package, versions prior to 0.0.49, contains a critical path traversal vulnerability. This flaw stems from the \u003ccode\u003emobile_save_screenshot\u003c/code\u003e and \u003ccode\u003emobile_start_screen_recording\u003c/code\u003e tools which improperly handle user-supplied paths. Specifically, the \u003ccode\u003esaveTo\u003c/code\u003e parameter in \u003ccode\u003emobile_save_screenshot\u003c/code\u003e and the \u003ccode\u003eoutput\u003c/code\u003e parameter in \u003ccode\u003emobile_start_screen_recording\u003c/code\u003e are passed directly to filesystem write operations without adequate validation. This oversight enables a malicious actor to write arbitrary files to locations outside of the intended workspace. A successful exploit of this vulnerability allows for the potential overwriting of sensitive system files, enabling privilege escalation and persistence on the host system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains control over the \u003ccode\u003esaveTo\u003c/code\u003e or \u003ccode\u003eoutput\u003c/code\u003e parameter of the vulnerable functions. This could be achieved through a malicious application, supply chain attack, or other means of code injection.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a path containing traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) designed to navigate outside of the intended save directory.\u003c/li\u003e\n\u003cli\u003eThe attacker calls the \u003ccode\u003emobile_save_screenshot\u003c/code\u003e or \u003ccode\u003emobile_start_screen_recording\u003c/code\u003e tool with the manipulated path as the \u003ccode\u003esaveTo\u003c/code\u003e or \u003ccode\u003eoutput\u003c/code\u003e parameter, respectively.\u003c/li\u003e\n\u003cli\u003eThe vulnerable function passes the attacker-controlled path to \u003ccode\u003efs.writeFileSync()\u003c/code\u003e without validation.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003efs.writeFileSync()\u003c/code\u003e writes the screenshot or screen recording data to the attacker-specified path.\u003c/li\u003e\n\u003cli\u003eIf the path leads to a sensitive system file (e.g., \u003ccode\u003e~/.bashrc\u003c/code\u003e, \u003ccode\u003e~/.ssh/authorized_keys\u003c/code\u003e), it is overwritten with the contents of the screenshot or screen recording.\u003c/li\u003e\n\u003cli\u003eThe attacker can overwrite configuration files or executables in order to achieve code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence and/or elevated privileges on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability can have severe consequences. An attacker can overwrite critical system files, such as shell configuration files (\u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.zshrc\u003c/code\u003e), SSH authorized keys (\u003ccode\u003e.ssh/authorized_keys\u003c/code\u003e), or application configuration files. This can lead to arbitrary code execution, privilege escalation, and persistent backdoor access to the affected system. The reported impact includes potential for a broken shell and unauthorized access. All users of \u003ccode\u003e@mobilenext/mobile-mcp\u003c/code\u003e versions prior to 0.0.49 are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003e@mobilenext/mobile-mcp\u003c/code\u003e version 0.0.49 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation for all file paths used in file system operations. Specifically, validate the \u003ccode\u003esaveTo\u003c/code\u003e and \u003ccode\u003eoutput\u003c/code\u003e parameters of the \u003ccode\u003emobile_save_screenshot\u003c/code\u003e and \u003ccode\u003emobile_start_screen_recording\u003c/code\u003e functions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Mobile-MCP Path Traversal Attempts\u0026rdquo; to your SIEM to detect attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for unusual file access patterns or attempts to write to sensitive system directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T19:13:17Z","date_published":"2026-03-27T19:13:17Z","id":"/briefs/2024-01-04-mobile-mcp-path-traversal/","summary":"The @mobilenext/mobile-mcp package before version 0.0.49 is vulnerable to a Path Traversal vulnerability in the mobile_save_screenshot and mobile_start_screen_recording tools where the `saveTo` and `output` parameters are passed directly to filesystem operations without validation, potentially allowing an attacker to write files outside the intended workspace, leading to privilege escalation and persistence by overwriting sensitive host files.","title":"@mobilenext/mobile-mcp Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-04-mobile-mcp-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","file-upload","cve-2026-5027","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5027 exposes a critical vulnerability in the \u0026lsquo;POST /api/v2/files\u0026rsquo; endpoint, where the \u0026lsquo;filename\u0026rsquo; parameter within multipart form data is not properly sanitized. This flaw allows an attacker to manipulate the filename by injecting path traversal sequences such as \u0026lsquo;../\u0026rsquo;, leading to the ability to write files to arbitrary locations on the server\u0026rsquo;s filesystem. This vulnerability was reported by Tenable Network Security, Inc. and has a CVSS v3.1 base score of 8.8 (HIGH). Successful…\u003c/p\u003e\n","date_modified":"2026-03-27T15:17:04Z","date_published":"2026-03-27T15:17:04Z","id":"/briefs/2026-03-path-traversal-api/","summary":"The 'POST /api/v2/files' endpoint is vulnerable to path traversal due to improper sanitization of the 'filename' parameter, potentially allowing attackers to write files to arbitrary locations on the filesystem and achieve remote code execution.","title":"Path Traversal Vulnerability in API File Upload Endpoint (CVE-2026-5027)","url":"https://feed.craftedsignal.io/briefs/2026-03-path-traversal-api/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","cms","laravel","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSharp CMS, a content management framework built for Laravel, is vulnerable to a path traversal attack. This vulnerability affects versions prior to 9.20.0 and stems from the \u003ccode\u003eFileUtil\u003c/code\u003e class not properly sanitizing file extensions. The flaw allows attackers to manipulate file paths by injecting path separators, potentially leading to unauthorized file access or manipulation within the storage layer. The vulnerability resides in the \u003ccode\u003eFileUtil::explodeExtension()\u003c/code\u003e function within…\u003c/p\u003e\n","date_modified":"2026-03-26T22:16:31Z","date_published":"2026-03-26T22:16:31Z","id":"/briefs/2024-05-sharp-path-traversal/","summary":"A path traversal vulnerability exists in Sharp CMS versions prior to 9.20.0 due to improper sanitization of file extensions, potentially allowing attackers to bypass security restrictions and access sensitive files.","title":"Sharp CMS Path Traversal Vulnerability (CVE-2026-33686)","url":"https://feed.craftedsignal.io/briefs/2024-05-sharp-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLangflow, a tool designed for building and deploying AI-powered agents and workflows, is vulnerable to a path traversal attack (CVE-2026-33497) in versions prior to 1.7.1. The vulnerability resides within the download_profile_picture function of the \u003ccode\u003e/profile_pictures/{folder_name}/{file_name}\u003c/code\u003e endpoint. Due to inadequate filtering of the \u003ccode\u003efolder_name\u003c/code\u003e and \u003ccode\u003efile_name\u003c/code\u003e parameters, an attacker can manipulate these inputs to traverse directories and potentially access sensitive files, including…\u003c/p\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-langflow-path-traversal/","summary":"A path traversal vulnerability in Langflow versions before 1.7.1 allows unauthenticated attackers to read sensitive files via the download_profile_picture endpoint due to insufficient filtering of the folder_name and file_name parameters.","title":"Langflow Path Traversal Vulnerability (CVE-2026-33497)","url":"https://feed.craftedsignal.io/briefs/2026-03-langflow-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","cve-2025-60946","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCensus CSWeb 8.0.1 is vulnerable to path traversal (CVE-2025-60946). A remote, authenticated attacker can supply arbitrary file path input and access unintended file directories. This allows the attacker to read sensitive files or potentially overwrite existing files, leading to information disclosure or code execution. The vulnerability was reported on March 23, 2026, and is fixed in version 8.1.0 alpha. Defenders should upgrade to the patched version to prevent potential exploitation of this…\u003c/p\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-census-csweb-path-traversal/","summary":"CVE-2025-60946 details a vulnerability in Census CSWeb 8.0.1, where arbitrary file path input is permitted, allowing a remote, authenticated attacker to access unintended file directories.","title":"Census CSWeb 8.0.1 Path Traversal Vulnerability (CVE-2025-60946)","url":"https://feed.craftedsignal.io/briefs/2026-03-census-csweb-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-22739","path-traversal","spring-cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-22739 describes a path traversal vulnerability affecting Spring Cloud Config Server. The vulnerability arises when the Config Server is configured with the native file system backend and processes a request containing a profile parameter. An attacker can manipulate this parameter to access files outside the intended search directories. This issue impacts Spring Cloud versions 3.1.x before 3.1.13, 4.1.x before 4.1.9, 4.2.x before 4.2.3, 4.3.x before 4.3.2, and 5.0.x before 5.0.2. This…\u003c/p\u003e\n","date_modified":"2026-03-24T01:17:00Z","date_published":"2026-03-24T01:17:00Z","id":"/briefs/2026-03-spring-cloud-path-traversal/","summary":"A path traversal vulnerability exists in Spring Cloud Config Server versions 3.1.x before 3.1.13, 4.1.x before 4.1.9, 4.2.x before 4.2.3, 4.3.x before 4.3.2, and 5.0.x before 5.0.2, allowing unauthenticated remote attackers to access files outside configured search directories when using the native file system backend.","title":"Spring Cloud Config Server Path Traversal Vulnerability (CVE-2026-22739)","url":"https://feed.craftedsignal.io/briefs/2026-03-spring-cloud-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["tekton","path-traversal","kubernetes","cve-2026-33211","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Tekton Pipelines project provides Kubernetes-style resources for declaring CI/CD pipelines. A path traversal vulnerability exists in the git resolver component, tracked as CVE-2026-33211. This vulnerability affects Tekton Pipelines versions 1.0.0 and prior to 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2. An attacker with the ability to create \u003ccode\u003eResolutionRequests\u003c/code\u003e (e.g., through \u003ccode\u003eTaskRuns\u003c/code\u003e or \u003ccode\u003ePipelineRuns\u003c/code\u003e that utilize the git resolver) can exploit this flaw to read any file from the resolver pod\u0026rsquo;s file system. A successful exploit allows attackers to retrieve sensitive information, such as ServiceAccount tokens, which are base64-encoded and returned in \u003ccode\u003eresolutionrequest.status.data\u003c/code\u003e. The vulnerability has been patched in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2. This poses a significant risk in multi-tenant environments where lateral movement and privilege escalation are possible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains the ability to create \u003ccode\u003eTaskRuns\u003c/code\u003e or \u003ccode\u003ePipelineRuns\u003c/code\u003e within a Tekton Pipelines environment.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eResolutionRequest\u003c/code\u003e that leverages the git resolver.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003eResolutionRequest\u003c/code\u003e, the attacker injects a path traversal sequence into the \u003ccode\u003epathInRepo\u003c/code\u003e parameter, such as \u0026ldquo;../../../../etc/passwd\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe git resolver attempts to resolve the resource using the provided path.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal vulnerability, the resolver accesses the file specified by the attacker on the resolver pod\u0026rsquo;s file system.\u003c/li\u003e\n\u003cli\u003eThe contents of the accessed file are read by the resolver.\u003c/li\u003e\n\u003cli\u003eThe resolver encodes the file content in base64.\u003c/li\u003e\n\u003cli\u003eThe base64-encoded content is returned in the \u003ccode\u003eresolutionrequest.status.data\u003c/code\u003e field, allowing the attacker to retrieve the content. This can include sensitive files such as ServiceAccount tokens.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33211 allows attackers to read arbitrary files from the Tekton Pipelines resolver pod. This can lead to the compromise of sensitive information, including ServiceAccount tokens. If ServiceAccount tokens are compromised, attackers can potentially gain unauthorized access to Kubernetes resources, leading to privilege escalation, lateral movement within the cluster, and potential data exfiltration. The impact is especially high in multi-tenant environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Tekton Pipelines to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, or 1.10.2 or later to patch CVE-2026-33211.\u003c/li\u003e\n\u003cli\u003eImplement strict RBAC policies to limit the ability to create \u003ccode\u003eTaskRuns\u003c/code\u003e and \u003ccode\u003ePipelineRuns\u003c/code\u003e to only authorized users and service accounts.\u003c/li\u003e\n\u003cli\u003eMonitor Kubernetes API audit logs for suspicious \u003ccode\u003eResolutionRequest\u003c/code\u003e creation events (see rule: \u0026ldquo;Detect Suspicious ResolutionRequest Creation\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement network policies to restrict network access from the resolver pod to only necessary resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T00:16:29Z","date_published":"2026-03-24T00:16:29Z","id":"/briefs/2026-03-tekton-traversal/","summary":"The Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter, allowing arbitrary file reads from the resolver pod's filesystem, including ServiceAccount tokens.","title":"Tekton Pipelines Git Resolver Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-tekton-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","access-control-bypass","web-framework"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSalvo, a Rust web framework, is vulnerable to a path traversal and access control bypass in versions 0.39.0 through 0.89.2. This vulnerability, identified as CVE-2026-33242, resides within the \u003ccode\u003esalvo-proxy\u003c/code\u003e component. The flaw allows unauthenticated, remote attackers to circumvent proxy routing restrictions and gain access to backend resources that should be protected. The root cause is the \u003ccode\u003eencode_url_path\u003c/code\u003e function\u0026rsquo;s failure to properly sanitize \u0026ldquo;../\u0026rdquo; sequences within URLs. This leads to the sequences being passed directly to the upstream server without re-encoding, thus bypassing intended access controls. Organizations using affected versions of Salvo are vulnerable until they upgrade to version 0.89.3, which contains the necessary patch.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Salvo web server running a vulnerable version (0.39.0 - 0.89.2).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a proxied endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a URL containing \u0026ldquo;../\u0026rdquo; sequences to traverse directories outside the intended proxy path.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eencode_url_path\u003c/code\u003e function fails to properly normalize or re-encode the \u0026ldquo;../\u0026rdquo; sequence.\u003c/li\u003e\n\u003cli\u003eThe unsanitized URL is forwarded to the upstream server behind the proxy.\u003c/li\u003e\n\u003cli\u003eThe upstream server processes the request, granting access to unintended files or endpoints due to the path traversal.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information, protected functionalities, or administrative interfaces.\u003c/li\u003e\n\u003cli\u003eThe attacker may further exploit the compromised resource to escalate privileges or compromise the entire system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to bypass intended access controls and access sensitive backend resources. The CVSS v3.1 score is 7.5. This could lead to exposure of confidential data, unauthorized modification of system settings, or complete system compromise, depending on the nature of the accessible resources. The number of affected deployments is currently unknown but depends on the adoption rate of the Salvo framework.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Salvo to version 0.89.3 or later to patch CVE-2026-33242.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to detect and block requests containing \u0026ldquo;../\u0026rdquo; sequences in the URL, mitigating potential path traversal attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and harden proxy configurations to ensure proper input validation and sanitization of URLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T00:16:29Z","date_published":"2026-03-24T00:16:29Z","id":"/briefs/2024-01-salvo-path-traversal/","summary":"Salvo web framework versions 0.39.0 through 0.89.2 are vulnerable to Path Traversal and Access Control Bypass, allowing unauthenticated external attackers to bypass proxy routing constraints and access unintended backend paths.","title":"Salvo Web Framework Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-salvo-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["unifi","path-traversal","nosql-injection","cve-2026-22557","cve-2026-22558"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe UniFi Network Application, a central platform for managing network devices across enterprise and SMB environments, is affected by two critical vulnerabilities: CVE-2026-22557 (Path Traversal) and CVE-2026-22558 (Authenticated NoSQL Injection). These vulnerabilities impact Official Release versions 10.1.85 and earlier, Release Candidate versions 10.2.93 and earlier, and UniFi Express (UX) versions 9.0.114 and earlier. Exploitation of CVE-2026-22557 enables attackers to access and manipulate…\u003c/p\u003e\n","date_modified":"2026-03-21T12:00:00Z","date_published":"2026-03-21T12:00:00Z","id":"/briefs/2026-03-unifi-vulns/","summary":"A combination of path traversal (CVE-2026-22557) and NoSQL injection (CVE-2026-22558) vulnerabilities in the UniFi Network Application allows attackers to access files, escalate privileges, and potentially compromise the entire system.","title":"UniFi Network Application Vulnerabilities CVE-2026-22557 and CVE-2026-22558","url":"https://feed.craftedsignal.io/briefs/2026-03-unifi-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@evomap/evolver"],"_cs_severities":["high"],"_cs_tags":["path-traversal","arbitrary-file-write","privilege-escalation","evolver"],"_cs_type":"advisory","_cs_vendors":["@evomap"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@evomap/evolver\u003c/code\u003e package contains a path traversal vulnerability in its \u003ccode\u003efetch\u003c/code\u003e command, specifically affecting versions prior to 1.69.3. This flaw arises from the insufficient validation of user-supplied paths provided via the \u003ccode\u003e--out\u003c/code\u003e flag. By manipulating this flag, attackers can bypass intended directory restrictions and write files to arbitrary locations on the filesystem. This can lead to critical system file modification, potentially leading to privilege escalation and persistent backdoor installation. The vulnerability exists in the \u003ccode\u003eindex.js\u003c/code\u003e file, where the application processes the \u003ccode\u003e--out\u003c/code\u003e flag without proper sanitization before writing files to the specified directory. This is particularly concerning in automated environments like CI/CD pipelines where user input might be indirectly injected into the \u003ccode\u003efetch\u003c/code\u003e command.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains control over the input to the \u003ccode\u003efetch\u003c/code\u003e command, including the \u003ccode\u003e--out\u003c/code\u003e flag.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003e--out\u003c/code\u003e parameter containing path traversal sequences (e.g., \u003ccode\u003e../../../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efetch\u003c/code\u003e command in \u003ccode\u003eindex.js\u003c/code\u003e processes the \u003ccode\u003e--out\u003c/code\u003e flag and extracts the user-provided path without validation.\u003c/li\u003e\n\u003cli\u003eThe application attempts to create the directory specified by the manipulated \u003ccode\u003e--out\u003c/code\u003e flag using \u003ccode\u003efs.mkdirSync\u003c/code\u003e with the \u003ccode\u003erecursive\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eThe application writes files (e.g., downloaded skill files) to the directory specified in the \u003ccode\u003e--out\u003c/code\u003e parameter using \u003ccode\u003efs.writeFileSync\u003c/code\u003e, effectively writing to an arbitrary location.\u003c/li\u003e\n\u003cli\u003eIf the attacker has sufficient privileges, they can overwrite critical system files or create new files in sensitive directories like \u003ccode\u003e/etc/cron.d\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified files to achieve persistence (e.g., by creating a cron job).\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious code, gaining unauthorized access or escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write files to arbitrary locations on the filesystem. This can lead to several critical consequences, including overwriting system configuration files, installing persistent backdoors via cron jobs, modifying SSH authorized_keys for unauthorized access, and potentially achieving privilege escalation if the affected process runs with elevated privileges. The impact is particularly severe in automated environments where this tool is used to deploy code, as it opens the door for supply chain attacks. This issue affects users of \u003ccode\u003e@evomap/evolver\u003c/code\u003e prior to version 1.69.3.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003e@evomap/evolver\u003c/code\u003e package to version 1.69.3 or later to remediate the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Evolver Path Traversal Attempt\u003c/code\u003e to identify exploitation attempts based on command-line arguments.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for command-line arguments containing path traversal sequences like \u003ccode\u003e../\u003c/code\u003e when executing \u003ccode\u003enode\u003c/code\u003e or \u003ccode\u003enodejs\u003c/code\u003e related to evolver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-08-10T12:00:00Z","date_published":"2024-08-10T12:00:00Z","id":"/briefs/2024-08-evolver-path-traversal/","summary":"A path traversal vulnerability exists in the `fetch` command of `@evomap/evolver` due to insufficient validation of the `--out` flag, allowing attackers to write files to arbitrary locations on the filesystem, potentially leading to overwriting critical system files and privilege escalation.","title":"Evolver Path Traversal Vulnerability in `fetch` Command","url":"https://feed.craftedsignal.io/briefs/2024-08-evolver-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2024-57728"}],"_cs_exploited":false,"_cs_products":["SimpleHelp"],"_cs_severities":["critical"],"_cs_tags":["cve-2024-57728","path-traversal","zip-slip"],"_cs_type":"advisory","_cs_vendors":["SimpleHelp"],"content_html":"\u003cp\u003eA path traversal vulnerability exists within SimpleHelp, identified as CVE-2024-57728. This flaw enables authenticated administrators to upload arbitrary files to any location on the server\u0026rsquo;s file system. This is achieved through the use of a specially crafted ZIP archive (a technique known as Zip Slip). Successful exploitation allows an attacker to execute arbitrary code within the security context of the SimpleHelp server user. The vulnerability impacts SimpleHelp versions 5.5.7 and earlier. Defenders should apply vendor-provided mitigations or discontinue use of the software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to the SimpleHelp console, either through compromised credentials or exploiting a separate authentication bypass.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a file with a path traversal sequence (e.g., \u0026ldquo;../../ malicious.exe\u0026rdquo;) in its filename.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted ZIP archive to the SimpleHelp server through a file upload functionality available to administrators.\u003c/li\u003e\n\u003cli\u003eThe SimpleHelp server extracts the contents of the ZIP archive without proper validation of the file paths.\u003c/li\u003e\n\u003cli\u003eThe file with the path traversal sequence is extracted to an arbitrary location on the file system outside of the intended upload directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a method to execute the uploaded malicious executable. This could involve overwriting an existing system utility or service executable.\u003c/li\u003e\n\u003cli\u003eThe malicious executable runs with the privileges of the SimpleHelp server user.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the host, potentially leading to complete system compromise, data exfiltration, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-57728 allows an attacker to execute arbitrary code on the SimpleHelp server with the privileges of the SimpleHelp service account. This can result in a full compromise of the SimpleHelp server, potentially leading to data theft, service disruption, or further lateral movement within the network. The vulnerability affects SimpleHelp installations, and the impact is high due to the potential for complete system takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the mitigations provided by SimpleHelp to patch the vulnerability. Refer to the vendor advisory for instructions: \u003ca href=\"https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier\"\u003ehttps://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eMonitor SimpleHelp server file uploads for ZIP archives containing path traversal sequences (e.g., \u0026ldquo;../\u0026rdquo;) in filenames using a file integrity monitoring system (FIM) or endpoint detection and response (EDR) solution. Deploy the \u0026ldquo;Detect SimpleHelp Path Traversal ZIP Upload\u0026rdquo; Sigma rule to identify suspicious ZIP files.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and regularly audit administrative access to the SimpleHelp console to prevent unauthorized users from exploiting the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-06-25T10:00:00Z","date_published":"2024-06-25T10:00:00Z","id":"/briefs/2024-06-simplehelp-path-traversal/","summary":"CVE-2024-57728 is a path traversal vulnerability in SimpleHelp that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file, potentially leading to arbitrary code execution.","title":"SimpleHelp Path Traversal Vulnerability (CVE-2024-57728)","url":"https://feed.craftedsignal.io/briefs/2024-06-simplehelp-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2024-7399"}],"_cs_exploited":true,"_cs_products":["MagicINFO 9 Server"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","cve-2024-7399","samsung"],"_cs_type":"threat","_cs_vendors":["Samsung"],"content_html":"\u003cp\u003eA critical path traversal vulnerability, identified as CVE-2024-7399, affects Samsung MagicINFO 9 Server. This flaw could be exploited by an attacker to write arbitrary files to the server with system-level privileges. Successful exploitation could lead to a complete compromise of the MagicINFO server, potentially allowing attackers to execute arbitrary code, install backdoors, or manipulate data stored on the server. Given the potential for widespread impact, organizations utilizing MagicINFO 9 Server should prioritize patching or mitigating this vulnerability immediately. The vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) catalog, highlighting its active exploitation risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable MagicINFO 9 Server instance exposed to the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing a path traversal sequence (e.g., \u0026ldquo;../\u0026rdquo;) in a file upload or download parameter.\u003c/li\u003e\n\u003cli\u003eThe server improperly processes the path, failing to sanitize the input and allowing the attacker to traverse outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the path traversal vulnerability to write a malicious file (e.g., a web shell or executable) to a sensitive directory, such as the web server\u0026rsquo;s root directory or a startup folder.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious file, gaining arbitrary code execution on the server with system privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a persistent backdoor for future access, potentially installing tools for lateral movement and privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their system privileges to access sensitive data, modify system configurations, or launch further attacks against the internal network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-7399 can lead to complete system compromise, potentially affecting all connected displays and content managed by the MagicINFO server. This could result in unauthorized access to sensitive data, disruption of digital signage operations, and the potential for further attacks against the organization\u0026rsquo;s internal network. The vulnerability has been added to the CISA KEV catalog, indicating active exploitation, and therefore a high risk of exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the mitigations provided by Samsung as described in their security update (\u003ca href=\"https://security.samsungtv.com/securityUpdates)\"\u003ehttps://security.samsungtv.com/securityUpdates)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eIf mitigations are unavailable, discontinue use of the product, as suggested by CISA.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences (e.g., \u0026ldquo;../\u0026rdquo;) targeting the MagicINFO server. Use the \u003ccode\u003eMagicINFO Path Traversal Attempt\u003c/code\u003e Sigma rule to detect such attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for all file upload and download functionalities on the MagicINFO server.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of unexpected files in sensitive directories, such as web server root directories or system startup folders. Use the \u003ccode\u003eSuspicious File Creation in Web Directories\u003c/code\u003e Sigma rule to detect such activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-06-19T12:00:00Z","date_published":"2024-06-19T12:00:00Z","id":"/briefs/2024-06-magicinfo-path-traversal/","summary":"A path traversal vulnerability in Samsung MagicINFO 9 Server could allow an attacker to write arbitrary files with system privileges, potentially leading to code execution or system compromise.","title":"Samsung MagicINFO 9 Server Path Traversal Vulnerability (CVE-2024-7399)","url":"https://feed.craftedsignal.io/briefs/2024-06-magicinfo-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2024-27199"}],"_cs_exploited":true,"_cs_products":["TeamCity"],"_cs_severities":["critical"],"_cs_tags":["cve-2024-27199","path-traversal","ransomware","jetbrains"],"_cs_type":"threat","_cs_vendors":["JetBrains"],"content_html":"\u003cp\u003eCVE-2024-27199 is a relative path traversal vulnerability affecting JetBrains TeamCity, a continuous integration and deployment server. This vulnerability allows attackers to perform limited administrative actions by manipulating file paths. JetBrains released a patch for this vulnerability in version 2023.11.4. CISA has added CVE-2024-27199 to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild, including its use in ransomware attacks. The vulnerability poses a significant risk to organizations using TeamCity, potentially leading to unauthorized access, data breaches, and system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable TeamCity server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing a relative path traversal sequence (e.g., \u003ccode\u003e../../\u003c/code\u003e) within a URL parameter related to administrative functions.\u003c/li\u003e\n\u003cli\u003eThe TeamCity server processes the crafted request without proper sanitization of the file path.\u003c/li\u003e\n\u003cli\u003eThe relative path traversal allows the attacker to access or modify restricted files or directories outside the intended scope.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the ability to perform limited admin actions, potentially modifying user permissions or injecting malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges, gaining full control over the TeamCity server.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware to connected systems, encrypting data and demanding a ransom for its release.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-27199 can lead to complete compromise of the TeamCity server and connected build agents. Due to TeamCity\u0026rsquo;s central role in software development and deployment pipelines, this can lead to significant disruption, data loss, and potential supply chain attacks. The vulnerability has been linked to ransomware attacks, causing financial losses, reputational damage, and operational downtime for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch by upgrading to TeamCity version 2023.11.4 or later to remediate CVE-2024-27199 (\u003ca href=\"https://www.jetbrains.com/privacy-security/issues-fixed/\"\u003ehttps://www.jetbrains.com/privacy-security/issues-fixed/\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect exploitation attempts against TeamCity servers.\u003c/li\u003e\n\u003cli\u003eFollow CISA\u0026rsquo;s BOD 22-01 guidance for cloud services to ensure proper security configurations and monitoring are in place.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-teamcity-path-traversal/","summary":"A relative path traversal vulnerability in JetBrains TeamCity (CVE-2024-27199) could allow limited administrative actions and has been linked to ransomware attacks.","title":"JetBrains TeamCity Relative Path Traversal Vulnerability (CVE-2024-27199)","url":"https://feed.craftedsignal.io/briefs/2024-04-teamcity-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2024-1708"}],"_cs_exploited":false,"_cs_products":["ScreenConnect"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","remote-code-execution","cve-2024-1708","connectwise"],"_cs_type":"advisory","_cs_vendors":["ConnectWise"],"content_html":"\u003cp\u003eCVE-2024-1708 is a critical path traversal vulnerability affecting ConnectWise ScreenConnect. This flaw could allow an unauthenticated attacker to execute remote code or directly access confidential data and critical systems. ConnectWise released security bulletin 23.9.8 to address this vulnerability. Given the potential for remote code execution and data compromise, this vulnerability poses a significant risk to organizations using ConnectWise ScreenConnect, potentially allowing full system takeover. CISA added this to their KEV catalog and recommends applying mitigations per vendor instructions, following BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a ConnectWise ScreenConnect server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing a path traversal payload targeting a vulnerable endpoint within ScreenConnect. This payload is designed to bypass authentication checks.\u003c/li\u003e\n\u003cli\u003eThe ScreenConnect server processes the malicious request, and the path traversal vulnerability allows the attacker to access files outside of the intended webroot directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the file access to read sensitive configuration files, potentially containing credentials or other sensitive information.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uploads a malicious executable (e.g., a web shell) to a writeable directory accessible via path traversal.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the uploaded web shell, gaining remote code execution on the ScreenConnect server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised ScreenConnect server as a pivot point to move laterally within the internal network, escalating privileges and compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware, disrupting business operations and causing significant financial damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-1708 can lead to complete compromise of ConnectWise ScreenConnect servers and potentially the entire network. Attackers could exfiltrate sensitive data, deploy ransomware, or use the compromised systems for lateral movement. Given the widespread use of ScreenConnect in MSP environments, a successful attack could impact numerous downstream clients, causing widespread disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the mitigations provided by ConnectWise in security bulletin 23.9.8 to patch CVE-2024-1708.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious ScreenConnect Path Traversal Attempts\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections originating from ScreenConnect servers, as this could indicate post-exploitation activity.\u003c/li\u003e\n\u003cli\u003eReview and harden the configuration of ConnectWise ScreenConnect servers, following security best practices to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-29-screenconnect-path-traversal/","summary":"CVE-2024-1708 is a path traversal vulnerability in ConnectWise ScreenConnect that could allow an attacker to execute remote code or directly impact confidential data and critical systems.","title":"ConnectWise ScreenConnect Path Traversal Vulnerability (CVE-2024-1708)","url":"https://feed.craftedsignal.io/briefs/2024-04-29-screenconnect-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2025-2749"}],"_cs_exploited":false,"_cs_products":["Kentico Xperience"],"_cs_severities":["high"],"_cs_tags":["path traversal","cve-2025-2749","kentico"],"_cs_type":"advisory","_cs_vendors":["Kentico"],"content_html":"\u003cp\u003eCVE-2025-2749 is a path traversal vulnerability affecting Kentico Xperience, a digital experience platform. This vulnerability allows an authenticated user, specifically one with access to the Staging Sync Server, to upload arbitrary data to path-relative locations on the server. The vulnerability stems from insufficient validation of file paths during the staging synchronization process. Successful exploitation of this vulnerability could lead to arbitrary file uploads, potentially overwriting critical system files or introducing malicious code. This could enable an attacker to achieve remote code execution, compromise sensitive data, or disrupt the availability of the Kentico Xperience instance. Due to the potential for significant impact, organizations using Kentico Xperience should apply mitigations as soon as possible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for a Kentico Xperience user account that has access to the Staging Sync Server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing a path traversal sequence (e.g., \u0026ldquo;../../../\u0026rdquo;) within the file path.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a staging synchronization process, sending the crafted payload to the Staging Sync Server.\u003c/li\u003e\n\u003cli\u003eThe Staging Sync Server, due to insufficient path validation, processes the payload and attempts to upload the data to the attacker-specified path.\u003c/li\u003e\n\u003cli\u003eThe system uploads the arbitrary data to an unintended location due to the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eIf the uploaded file overwrites an existing executable, the attacker may achieve remote code execution.\u003c/li\u003e\n\u003cli\u003eAlternatively, the uploaded file could contain a web shell allowing the attacker to execute commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the uploaded web shell or executable to gain further access and compromise the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-2749 can lead to arbitrary file uploads on the Kentico Xperience server. This could result in several severe consequences, including remote code execution, data compromise, and denial of service. While the exact number of affected organizations is unknown, organizations in various sectors rely on Kentico Xperience for their web content management needs. If exploited, attackers could gain complete control over the affected systems, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply mitigations per vendor instructions, specifically the hotfixes available on the Kentico devnet portal to address CVE-2025-2749.\u003c/li\u003e\n\u003cli\u003eFollow applicable BOD 22-01 guidance for cloud services if the Kentico Xperience instance is hosted in a cloud environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Kentico Staging Sync Path Traversal Attempt\u0026rdquo; to monitor for suspicious file uploads with path traversal sequences in web server logs.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit user accounts with access to the Staging Sync Server to minimize the risk of compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-kentico-traversal/","summary":"Kentico Xperience contains a path traversal vulnerability (CVE-2025-2749) that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations, potentially leading to remote code execution or data compromise.","title":"Kentico Xperience Path Traversal Vulnerability (CVE-2025-2749)","url":"https://feed.craftedsignal.io/briefs/2024-01-kentico-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["i18next-http-middleware"],"_cs_severities":["high"],"_cs_tags":["prototype-pollution","path-traversal","ssrf","denial-of-service","i18next"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003ei18next-http-middleware versions prior to 3.9.3 are susceptible to prototype pollution, path traversal, and SSRF attacks. The vulnerability stems from the insufficient validation of the \u003ccode\u003elng\u003c/code\u003e (language) and \u003ccode\u003ens\u003c/code\u003e (namespace) parameters passed via HTTP requests to the \u003ccode\u003egetResourcesHandler\u003c/code\u003e and the \u003ccode\u003emissingKeyHandler\u003c/code\u003e. These handlers, intended to serve localization resources, expose attack surface because they process user-controlled input without proper sanitization. This allows attackers to manipulate object properties, access unintended files or internal services, and cause denial-of-service conditions. The vulnerability was discovered via an internal security audit. Defenders should upgrade to version 3.9.3 to remediate the risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request to the \u003ccode\u003e/locales/resources.json\u003c/code\u003e endpoint, targeting the \u003ccode\u003egetResourcesHandler\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes malicious \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e query parameters, such as \u003ccode\u003elng=__proto__\u0026amp;ns=isAdmin\u003c/code\u003e, or \u003ccode\u003ens=../../etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egetResourcesHandler\u003c/code\u003e extracts the \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e parameters without sufficient validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e values are passed to \u003ccode\u003eutils.setPath(resources, [lng, ns], ...)\u003c/code\u003e which allows writing to the Object prototype if \u003ccode\u003elng\u003c/code\u003e is \u003ccode\u003e__proto__\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e values are passed to \u003ccode\u003ei18next.services.backendConnector.load(languages, namespaces, ...)\u003c/code\u003e to load resource bundles. With filesystem or HTTP backends, this can enable path traversal or SSRF if \u003ccode\u003ens\u003c/code\u003e or \u003ccode\u003elng\u003c/code\u003e contain malicious path segments.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker sends a POST request with a body containing a malicious \u003ccode\u003e__proto__\u003c/code\u003e key to \u003ccode\u003emissingKeyHandler\u003c/code\u003e, for example \u003ccode\u003e{\u0026quot;__proto__\u0026quot;: {\u0026quot;isAdmin\u0026quot;: true}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emissingKeyHandler\u003c/code\u003e iterates over the request body using \u003ccode\u003efor...in\u003c/code\u003e, including inherited prototype properties, and forwards the malicious data into \u003ccode\u003esaveMissing\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to prototype pollution, arbitrary file access, SSRF, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can have significant consequences. Prototype pollution allows attackers to manipulate object properties globally, leading to broken authorization checks (e.g., bypassing \u003ccode\u003eif (user.isAdmin)\u003c/code\u003e), type confusion errors, or potentially remote code execution. Path traversal enables access to sensitive files on the server, like configuration files or password databases, while SSRF allows attackers to interact with internal services. Finally, the unbounded growth of the \u003ccode\u003ei18next.options.ns\u003c/code\u003e list and repeated backend load calls can lead to denial of service due to memory and CPU exhaustion. This can impact availability of the service and potentially other services on the same host.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ei18next-http-middleware\u003c/code\u003e version 3.9.3 or later to address the vulnerabilities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect exploitation attempts targeting the \u003ccode\u003egetResourcesHandler\u003c/code\u003e and \u003ccode\u003emissingKeyHandler\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, implement a WAF rule as a partial mitigation to block requests containing \u003ccode\u003e__proto__\u003c/code\u003e, \u003ccode\u003econstructor\u003c/code\u003e, \u003ccode\u003eprototype\u003c/code\u003e, \u003ccode\u003e..\u003c/code\u003e, or control characters in \u003ccode\u003elng\u003c/code\u003e/\u003ccode\u003ens\u003c/code\u003e query parameters or body keys as suggested in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-i18next-http-middleware-vuln/","summary":"Versions of i18next-http-middleware before 3.9.3 are vulnerable to prototype pollution, path traversal, and server-side request forgery (SSRF) due to improper validation of user-controlled language and namespace parameters, potentially leading to denial of service or remote code execution.","title":"i18next-http-middleware Prototype Pollution and Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-i18next-http-middleware-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["i18next-fs-backend"],"_cs_severities":["high"],"_cs_tags":["path-traversal","i18next","arbitrary-file-read","arbitrary-file-write","code-execution"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe i18next-fs-backend library, a file system backend for the i18next internationalization framework, is vulnerable to a path traversal attack in versions prior to 2.6.4. This vulnerability arises from the unsanitized use of the \u003ccode\u003elng\u003c/code\u003e (language) and \u003ccode\u003ens\u003c/code\u003e (namespace) parameters when constructing file paths for loading and writing locale files. If an application exposes the language code to user input, an attacker can craft a malicious \u003ccode\u003elng\u003c/code\u003e or \u003ccode\u003ens\u003c/code\u003e value containing directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to escape the intended locale directory. Successful exploitation can lead to arbitrary file read, arbitrary file overwrite, and, if \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e files are used for localization, arbitrary code execution. This vulnerability highlights the importance of input validation, especially when constructing file paths from user-controlled data. The vulnerability was patched in version 2.6.4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using a vulnerable version of \u003ccode\u003ei18next-fs-backend\u003c/code\u003e (versions prior to 2.6.4) and exposes the language code to user input via query parameters (e.g., \u003ccode\u003e?lng=\u003c/code\u003e), cookies, or request headers.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003elng\u003c/code\u003e value containing directory traversal sequences, such as \u003ccode\u003e../../../../etc\u003c/code\u003e, to target sensitive files outside the intended locale directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the application with the crafted \u003ccode\u003elng\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application passes the unsanitized \u003ccode\u003elng\u003c/code\u003e value to the \u003ccode\u003ei18next.t()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ei18next-fs-backend\u003c/code\u003e library interpolates the malicious \u003ccode\u003elng\u003c/code\u003e value into the \u003ccode\u003eloadPath\u003c/code\u003e configuration option, without proper validation.  For example, \u003ccode\u003eloadPath: '/locales/{{lng}}/{{ns}}.json'\u003c/code\u003e becomes \u003ccode\u003e/locales/../../../../etc/{{ns}}.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe backend attempts to read the file specified by the crafted path (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIf successful, the contents of the targeted file are returned as a translation resource, potentially exposing sensitive information. If the attacker crafted the \u003ccode\u003elng\u003c/code\u003e or \u003ccode\u003ens\u003c/code\u003e value to point to a \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e file containing malicious code, the backend will execute the file using \u003ccode\u003eeval()\u003c/code\u003e, leading to arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eAlternatively, if the application attempts to write a missing translation key using the crafted path (via \u003ccode\u003eaddPath\u003c/code\u003e), the attacker could overwrite arbitrary files on the system, potentially leading to application compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have severe consequences. Arbitrary file read allows attackers to access sensitive data, such as configuration files, database credentials, or application source code. Arbitrary file overwrite can lead to application malfunction or complete compromise. If the application uses \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e files for localization and the attacker is able to inject malicious code into those files through path traversal, arbitrary code execution can result, potentially allowing the attacker to gain full control of the server. The number of victims depends on the popularity and configuration of applications using the vulnerable \u003ccode\u003ei18next-fs-backend\u003c/code\u003e library.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ei18next-fs-backend\u003c/code\u003e version 2.6.4 or later to patch the path traversal vulnerability as this version introduces the \u003ccode\u003eisSafePathSegment\u003c/code\u003e and \u003ccode\u003einterpolatePath\u003c/code\u003e functions to sanitize the path.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, sanitize the \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e values at the application boundary before passing them to \u003ccode\u003ei18next\u003c/code\u003e. Reject values containing \u003ccode\u003e..\u003c/code\u003e, \u003ccode\u003e/\u003c/code\u003e, \u003ccode\u003e\\\u003c/code\u003e, control characters, and limit the length to prevent path traversal as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eIf using \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e locale files, carefully review them for any suspicious or unexpected code. The advisory highlights that these files must be treated as trusted code.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing directory traversal sequences in the \u003ccode\u003elng\u003c/code\u003e or \u003ccode\u003ens\u003c/code\u003e parameters. Deploy the first Sigma rule for this purpose.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"/briefs/2024-01-25-i18next-fs-backend-path-traversal/","summary":"i18next-fs-backend versions before 2.6.4 are vulnerable to path traversal due to insufficient sanitization of the lng and ns values, potentially allowing attackers to read arbitrary files, overwrite files, or execute code if .js or .ts locale files are in use.","title":"i18next-fs-backend Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-25-i18next-fs-backend-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7149"}],"_cs_exploited":false,"_cs_products":["kaggle-mcp"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in the kaggle-mcp project, specifically affecting versions up to 406127ffcb2b91b8c10e20e6c2ca787fbc1dc92d. The vulnerability resides within the \u003ccode\u003eprepare_kaggle_dataset\u003c/code\u003e function located in the \u003ccode\u003esrc/kaggle_mcp/server.py\u003c/code\u003e file.  Successful exploitation allows a remote attacker to read sensitive files from the server. The vulnerability stems from insufficient sanitization of the \u003ccode\u003ecompetition_id\u003c/code\u003e argument. The exploit is publicly known, increasing the risk of widespread exploitation. The project uses a rolling release model, making it difficult to pinpoint specific affected versions. The maintainers have been notified but have not yet addressed the issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable kaggle-mcp instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the endpoint that utilizes the \u003ccode\u003eprepare_kaggle_dataset\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a path traversal sequence (e.g., \u003ccode\u003e../\u003c/code\u003e) into the \u003ccode\u003ecompetition_id\u003c/code\u003e parameter of the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the \u003ccode\u003ecompetition_id\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eprepare_kaggle_dataset\u003c/code\u003e function uses the unsanitized \u003ccode\u003ecompetition_id\u003c/code\u003e to construct a file path.\u003c/li\u003e\n\u003cli\u003eThe application accesses a file outside of the intended directory due to the path traversal.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the contents of the accessed file in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats this process to enumerate and exfiltrate sensitive files, potentially gaining access to credentials, configuration files, or source code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read arbitrary files on the server hosting the kaggle-mcp application. This can lead to the disclosure of sensitive information, such as configuration files containing database credentials, API keys, or source code. This information can be further leveraged to compromise other systems or data. The number of potential victims is unknown, but depends on the adoption rate of the vulnerable kaggle-mcp application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for HTTP requests containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..%2f\u003c/code\u003e) in the \u003ccode\u003ecs-uri-query\u003c/code\u003e field targeting endpoints associated with the \u003ccode\u003eprepare_kaggle_dataset\u003c/code\u003e function using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003ecompetition_id\u003c/code\u003e parameter to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual file access patterns originating from the kaggle-mcp application based on the provided Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-kaggle-mcp-path-traversal/","summary":"A path traversal vulnerability exists in the prepare_kaggle_dataset function of kaggle-mcp up to version 406127ffcb2b91b8c10e20e6c2ca787fbc1dc92d, allowing remote attackers to access arbitrary files by manipulating the competition_id argument.","title":"Kaggle-MCP Path Traversal Vulnerability in prepare_kaggle_dataset Function","url":"https://feed.craftedsignal.io/briefs/2024-01-kaggle-mcp-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-34414"}],"_cs_exploited":false,"_cs_products":["Xerte Online Toolkits (\u003c= 3.15)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","remote-code-execution","xss"],"_cs_type":"advisory","_cs_vendors":["Xerte"],"content_html":"\u003cp\u003eXerte Online Toolkits, a tool used to create online learning materials, is vulnerable to a path traversal vulnerability (CVE-2026-34414) in versions 3.15 and earlier. The vulnerability exists in the elFinder connector endpoint at \u003ccode\u003e/editor/elfinder/php/connector.php\u003c/code\u003e. The \u003ccode\u003ename\u003c/code\u003e parameter within rename commands is not properly sanitized, allowing attackers to use directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to manipulate file locations. This flaw can be exploited to overwrite application files, inject stored cross-site scripting (XSS), or, when combined with other vulnerabilities, achieve unauthenticated remote code execution (RCE). This poses a significant threat to organizations utilizing affected versions of Xerte Online Toolkits, potentially leading to data breaches, system compromise, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Xerte Online Toolkits instance running version 3.15 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to \u003ccode\u003e/editor/elfinder/php/connector.php\u003c/code\u003e targeting the rename command.\u003c/li\u003e\n\u003cli\u003eWithin the request, the \u003ccode\u003ename\u003c/code\u003e parameter contains directory traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) and the desired destination path.\u003c/li\u003e\n\u003cli\u003eThe server, due to insufficient input validation, processes the request without properly sanitizing the \u003ccode\u003ename\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker moves a file (e.g., an uploaded image or media file) from its original project media directory to a new location specified within the malicious \u003ccode\u003ename\u003c/code\u003e parameter. This could involve moving a file to the application root directory.\u003c/li\u003e\n\u003cli\u003eIf the attacker moves a specifically crafted PHP file to the application root and the webserver is configured to execute PHP files in the root, the attacker can then access this file via a web request.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control of the Xerte Online Toolkits instance and potentially the underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several critical consequences. Attackers can overwrite sensitive application files, leading to denial of service or system instability. The injection of malicious JavaScript code can result in stored cross-site scripting (XSS) attacks, compromising user accounts and data. The most severe outcome is unauthenticated remote code execution (RCE), enabling attackers to gain complete control over the affected server, potentially leading to data breaches, malware deployment, and further lateral movement within the network. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high level of risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Xerte Online Toolkits to a version greater than 3.15 to patch CVE-2026-34414.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Path Traversal in Xerte Connector\u003c/code\u003e to identify attempted exploitation of the path traversal vulnerability by monitoring requests to \u003ccode\u003e/editor/elfinder/php/connector.php\u003c/code\u003e with directory traversal sequences.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003ename\u003c/code\u003e parameter within the elFinder connector to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eReview web server configurations to prevent the execution of PHP files from the web root directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-xerte-path-traversal/","summary":"Xerte Online Toolkits 3.15 and earlier are vulnerable to relative path traversal, allowing attackers to move files and potentially achieve remote code execution.","title":"Xerte Online Toolkits Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-xerte-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pygeoapi"],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in pygeoapi versions 0.23.0, 0.23.1, and 0.23.2, specifically within the STAC (Spatially Aware Catalog) FileSystemProvider plugin. This flaw allows unauthenticated attackers to access unauthorized directories by manipulating URL paths, particularly when pygeoapi is deployed without a proxy or web front end that normalizes URLs containing \u003ccode\u003e..\u003c/code\u003e sequences. The vulnerability arises from improper handling of raw string path concatenation, making systems with STAC collection-based resources in their configuration susceptible to unauthorized file system access. This issue was resolved in version 0.23.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious HTTP request targeting a pygeoapi instance configured with a STAC collection resource.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a URL containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to navigate the file system.\u003c/li\u003e\n\u003cli\u003epygeoapi\u0026rsquo;s STAC FileSystemProvider plugin receives the request and attempts to resolve the file path.\u003c/li\u003e\n\u003cli\u003eDue to the raw string path concatenation vulnerability, the path traversal sequences are not properly sanitized.\u003c/li\u003e\n\u003cli\u003eThe application constructs an incorrect file path, allowing access to files and directories outside of the intended STAC collection directory.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive information or configuration files located in the exposed directories.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially use the exposed information to further compromise the system.\u003c/li\u003e\n\u003cli\u003eThe final objective is unauthorized access to sensitive data and potentially system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe path traversal vulnerability in pygeoapi allows unauthorized access to directories and files, potentially exposing sensitive data, configuration files, or even source code. The impact depends on the data stored in the exposed directories. Successful exploitation can lead to information disclosure, privilege escalation, and further system compromise. Organizations using vulnerable pygeoapi versions are at risk until they upgrade to version 0.23.3 or implement the recommended workaround.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to pygeoapi version 0.23.3 to patch the vulnerability as detailed in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-f6pr-83pg-ghh6\"\u003ehttps://github.com/advisories/GHSA-f6pr-83pg-ghh6\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eAs an immediate mitigation, disable STAC collection-based resources in the pygeoapi configuration as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-f6pr-83pg-ghh6\"\u003ehttps://github.com/advisories/GHSA-f6pr-83pg-ghh6\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;pygeoapi Path Traversal Attempt\u0026rdquo; to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-pygeoapi-path-traversal/","summary":"A path traversal vulnerability exists in pygeoapi versions 0.23.0 to 0.23.2 within the STAC FileSystemProvider plugin, allowing unauthenticated access to directories when deployed without a URL-normalizing proxy.","title":"pygeoapi Path Traversal Vulnerability in STAC FileSystemProvider","url":"https://feed.craftedsignal.io/briefs/2024-01-03-pygeoapi-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7272"}],"_cs_exploited":false,"_cs_products":["matlab-mcp-server"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-vulnerability"],"_cs_type":"advisory","_cs_vendors":["WilliamCloudQi"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7272, affects WilliamCloudQi\u0026rsquo;s matlab-mcp-server up to commit ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca. The vulnerability resides within the MCP Interface component, specifically in the \u003ccode\u003egenerate_matlab_code/execute_matlab_code\u003c/code\u003e function of the \u003ccode\u003esrc/index.ts\u003c/code\u003e file. A remote attacker can exploit this flaw by manipulating the \u003ccode\u003escriptPath\u003c/code\u003e argument, allowing them to traverse the file system and potentially access sensitive files or execute arbitrary code on the server. This vulnerability is remotely exploitable, and an exploit is publicly available. The vendor was notified but has not yet responded. This poses a significant risk to systems running vulnerable versions of matlab-mcp-server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of WilliamCloudQi matlab-mcp-server running a version up to ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003egenerate_matlab_code\u003c/code\u003e or \u003ccode\u003eexecute_matlab_code\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a manipulated \u003ccode\u003escriptPath\u003c/code\u003e argument containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..%2f\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server-side code, without proper validation, uses the attacker-controlled \u003ccode\u003escriptPath\u003c/code\u003e to access a file.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the path traversal to navigate to a sensitive file outside the intended directory (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server reads the contents of the arbitrary file due to the path traversal.\u003c/li\u003e\n\u003cli\u003eThe server includes the contents of the sensitive file in the response sent back to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the sensitive information from the server\u0026rsquo;s response, such as configuration files, credentials, or source code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to read arbitrary files on the server. This can lead to the disclosure of sensitive information, including configuration files, credentials, source code, or other data stored on the server\u0026rsquo;s file system. This information can then be used for further attacks, such as privilege escalation or lateral movement within the network. The number of potential victims is unknown, but any system running a vulnerable version of matlab-mcp-server is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization to the \u003ccode\u003escriptPath\u003c/code\u003e argument in the \u003ccode\u003egenerate_matlab_code\u003c/code\u003e and \u003ccode\u003eexecute_matlab_code\u003c/code\u003e functions to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..%2f\u003c/code\u003e) in the \u003ccode\u003escriptPath\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-matlab-mcp-server-path-traversal/","summary":"A path traversal vulnerability exists in WilliamCloudQi matlab-mcp-server up to version ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca, allowing a remote attacker to manipulate the scriptPath argument in the generate_matlab_code/execute_matlab_code function to access arbitrary files.","title":"Path Traversal Vulnerability in WilliamCloudQi matlab-mcp-server","url":"https://feed.craftedsignal.io/briefs/2024-01-03-matlab-mcp-server-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-5166"}],"_cs_exploited":false,"_cs_products":["Pardus Software Center"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5166","path-traversal","web-application"],"_cs_type":"advisory","_cs_vendors":["TUBITAK BILGEM Software Technologies Research Institute"],"content_html":"\u003cp\u003eCVE-2026-5166 is a critical path traversal vulnerability discovered in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center, affecting versions prior to 1.0.3. This vulnerability allows an attacker to bypass directory restrictions and potentially access sensitive files or execute arbitrary code on the underlying system. Path traversal vulnerabilities arise when an application does not properly sanitize user-supplied input used to construct file paths. This can lead to unauthorized access and modification of data, potentially leading to a full system compromise. The vulnerability was published on 2026-04-29, but due to its severity, detection engineers should prioritize creating detections for it.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an endpoint in Pardus Software Center that accepts file paths as input.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request containing a path traversal payload, such as \u0026ldquo;../../../etc/passwd\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, allowing the path traversal sequence to be processed.\u003c/li\u003e\n\u003cli\u003eThe application constructs a file path using the unsanitized input, effectively escaping the intended directory.\u003c/li\u003e\n\u003cli\u003eThe application attempts to access the file specified by the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker can read sensitive files such as configuration files, user data, or system binaries.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage the ability to read sensitive files to gain further information about the system, such as user credentials or system configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker can then exploit this information to escalate privileges or compromise other parts of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5166 can lead to unauthorized access to sensitive data, including configuration files, user data, and system binaries. This could allow an attacker to steal credentials, escalate privileges, or compromise the entire system. Given the CVSS v3.1 base score of 9.6, this vulnerability poses a critical risk to systems running affected versions of Pardus Software Center. The exact number of affected systems is currently unknown, but organizations using this software are urged to apply mitigations immediately.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Pardus Software Center to version 1.0.3 or later to patch CVE-2026-5166.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePardus Software Center Path Traversal Attempt\u003c/code\u003e to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences like \u0026ldquo;../\u0026rdquo; or \u0026ldquo;..\u0026quot; to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-pardus-path-traversal/","summary":"CVE-2026-5166 is a path traversal vulnerability affecting TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center before version 1.0.3, allowing attackers to bypass directory restrictions.","title":"Pardus Software Center Path Traversal Vulnerability (CVE-2026-5166)","url":"https://feed.craftedsignal.io/briefs/2024-01-pardus-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Tomcat","OpenMRS Core","openmrs-web"],"_cs_severities":["high"],"_cs_tags":["path-traversal","information-disclosure","openmrs"],"_cs_type":"advisory","_cs_vendors":["Apache","OpenMRS"],"content_html":"\u003cp\u003eOpenMRS Core, a widely used open-source medical record system, is vulnerable to a path traversal attack via the \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e. This flaw affects versions up to 2.7.8 and versions 2.8.0 through 2.8.5. An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL to read arbitrary files from the server\u0026rsquo;s filesystem. The vulnerability exists because the \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e component fails to properly validate user-supplied path input when serving static module resources. This vulnerability is particularly critical because the affected endpoint is not protected by authentication filters, and successful exploitation depends on running Apache Tomcat versions before 8.5.31 or prior to 9.0.10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable OpenMRS instance running on a susceptible Tomcat version.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a valid module ID installed on the target OpenMRS instance (e.g., \u003ccode\u003elegacyui\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request to the \u003ccode\u003e/openmrs/moduleResources/{moduleid}\u003c/code\u003e endpoint containing a path traversal sequence (e.g., \u003ccode\u003e..;\u003c/code\u003e) within the URL. The request attempts to access a sensitive file, such as \u003ccode\u003e/etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e receives the request and extracts the path information without proper validation.\u003c/li\u003e\n\u003cli\u003eThe application constructs a file path by concatenating the web application root, module path, module ID, \u0026ldquo;resources,\u0026rdquo; and the attacker-supplied path.\u003c/li\u003e\n\u003cli\u003eDue to missing path sanitization and normalization, the resulting file path points to the attacker-specified file outside the intended resources directory.\u003c/li\u003e\n\u003cli\u003eThe server reads the content of the arbitrary file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server returns the file content in the HTTP response to the attacker, resulting in information disclosure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to read arbitrary files on the OpenMRS server. This can lead to the exposure of sensitive information, including system configuration files containing database credentials, potentially compromising the entire application and patient data. The number of affected deployments is unknown, but any OpenMRS instance running vulnerable versions on older Tomcat installations is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenMRS Core to a patched version beyond 2.8.5 to address CVE-2026-40075.\u003c/li\u003e\n\u003cli\u003eAs a short-term mitigation, upgrade Apache Tomcat to version 8.5.31 or later, or 9.0.10 or later, to leverage container-level path traversal protection.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect exploitation attempts against the vulnerable \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious URL patterns containing path traversal sequences (\u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..;\u003c/code\u003e, \u003ccode\u003e%2e%2e%2f\u003c/code\u003e) targeting the \u003ccode\u003e/openmrs/moduleResources/\u003c/code\u003e path.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-openmrs-path-traversal/","summary":"OpenMRS Core versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, contain a path traversal vulnerability in the ModuleResourcesServlet, allowing an unauthenticated attacker to read arbitrary files from the server filesystem by manipulating the URL.","title":"OpenMRS ModuleResourcesServlet Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openmrs-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@samanhappy/mcphub ( \u003c 0.12.13)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","mcphub"],"_cs_type":"advisory","_cs_vendors":["samanhappy"],"content_html":"\u003cp\u003eMCPHub is vulnerable to a path traversal vulnerability affecting versions prior to 0.12.13. The vulnerability exists in the MCPB file upload handler, which extracts a ZIP file and reads the \u003ccode\u003emanifest.json\u003c/code\u003e file. The \u003ccode\u003ename\u003c/code\u003e field from the manifest is directly concatenated into the file path without any sanitization or path traversal character validation. This allows an attacker to craft a malicious MCPB file with a \u003ccode\u003emanifest.name\u003c/code\u003e containing directory traversal sequences (e.g., \u003ccode\u003e../../../etc/malicious\u003c/code\u003e), leading to arbitrary file extraction and potential directory deletion via the \u003ccode\u003ecleanupOldMcpbServer\u003c/code\u003e function. This vulnerability poses a significant risk to systems running vulnerable versions of MCPHub, potentially allowing attackers to overwrite critical system files or execute arbitrary code.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious MCPB file.\u003c/li\u003e\n\u003cli\u003eThe malicious MCPB file contains a \u003ccode\u003emanifest.json\u003c/code\u003e file with a \u003ccode\u003ename\u003c/code\u003e field set to a path traversal string (e.g., \u003ccode\u003e../../../tmp/evil\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious MCPB file to the \u003ccode\u003e/mcpb/upload\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003euploadMcpbFile\u003c/code\u003e function extracts the uploaded MCPB file to a temporary directory.\u003c/li\u003e\n\u003cli\u003eThe function reads and parses the \u003ccode\u003emanifest.json\u003c/code\u003e file from the temporary directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emanifest.name\u003c/code\u003e value (containing the path traversal string) is used to construct the final extraction directory path using \u003ccode\u003epath.join\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server attempts to create the directory specified by the crafted path and moves the extracted files to this location. Due to the path traversal, the files are written outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecleanupOldMcpbServer\u003c/code\u003e function may be triggered, attempting to delete directories based on the unsanitized name, though constrained to the upload directory.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability allows an attacker to write files to arbitrary locations on the server\u0026rsquo;s file system. This could lead to overwriting critical system files, injecting malicious code into existing applications, or gaining unauthorized access to sensitive data. The exact impact depends on the permissions of the user running the MCPHub application and the contents of the files being written. If the attacker can overwrite executable files or configuration files, they could achieve arbitrary code execution and full system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the remediation recommendations from the original advisory: Use \u003ccode\u003epath.basename()\u003c/code\u003e to strip directory components from \u003ccode\u003emanifest.name\u003c/code\u003e, and enforce a strict character whitelist before use.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect MCPHub Path Traversal Attempt via Manifest Name\u0026rdquo; to identify attempts to exploit this vulnerability by monitoring for specific path traversal sequences in the manifest name (see Sigma rule).\u003c/li\u003e\n\u003cli\u003eUpgrade MCPHub to version 0.12.13 or later to patch this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-mcphub-path-traversal/","summary":"MCPHub is vulnerable to path traversal, where a malicious MCPB file with a crafted manifest.name can cause files to be extracted to arbitrary locations due to missing sanitization in the upload handler.","title":"MCPHub Path Traversal Vulnerability via Malicious MCPB Manifest Name","url":"https://feed.craftedsignal.io/briefs/2024-01-mcphub-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7398"}],"_cs_exploited":false,"_cs_products":["BioinfoMCP"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve-2026-7398"],"_cs_type":"advisory","_cs_vendors":["florensiawidjaja"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7398, affects the BioinfoMCP platform developed by florensiawidjaja. The vulnerability resides in the Upload function within the bioinfo_mcp_platform/app.py file. An attacker can exploit this weakness remotely by manipulating the \u003ccode\u003eName\u003c/code\u003e argument during file uploads, allowing them to write files to arbitrary locations on the server. This poses a significant security risk, potentially leading to code execution, data compromise, or denial of service. The exploit is publicly available, increasing the likelihood of exploitation. The BioinfoMCP project utilizes continuous delivery with rolling releases, making it difficult to determine specific affected and patched versions. The project has been notified through an issue report, but no response has been received.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an accessible BioinfoMCP instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the Upload endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the request, the \u0026lsquo;Name\u0026rsquo; argument is manipulated to include path traversal sequences (e.g., ../../).\u003c/li\u003e\n\u003cli\u003eThe server-side application fails to properly sanitize or validate the \u0026lsquo;Name\u0026rsquo; argument.\u003c/li\u003e\n\u003cli\u003eThe application constructs a file path using the attacker-controlled \u0026lsquo;Name\u0026rsquo; argument.\u003c/li\u003e\n\u003cli\u003eThe application writes the uploaded file to the attacker-specified location outside of the intended upload directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious file (e.g., a web shell or executable).\u003c/li\u003e\n\u003cli\u003eThe attacker executes the uploaded file, potentially gaining control of the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability could allow an attacker to overwrite critical system files, execute arbitrary code on the server, and potentially gain complete control of the affected system. Due to the lack of specific versioning and deployment details, the number of potentially affected instances is unknown. However, given the publicly available exploit, any unpatched BioinfoMCP instance is at immediate risk of compromise. The impact includes potential data breaches, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for suspicious requests containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) in the \u003ccode\u003ecs-uri-query\u003c/code\u003e targeting the \u003ccode\u003e/app.py\u003c/code\u003e endpoint, activating the Sigma rule \u003ccode\u003eDetect BioinfoMCP Path Traversal Attempt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect BioinfoMCP Upload of Executable Files\u003c/code\u003e to identify potential malicious file uploads following exploitation.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization on all user-supplied input, especially the \u0026lsquo;Name\u0026rsquo; argument in the Upload function within the bioinfo_mcp_platform/app.py file, to mitigate CVE-2026-7398.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-bioinfomcp-path-traversal/","summary":"A path traversal vulnerability in florensiawidjaja BioinfoMCP allows remote attackers to write arbitrary files via manipulation of the 'Name' argument in the Upload function of app.py.","title":"florensiawidjaja BioinfoMCP Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-bioinfomcp-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["azuracast (\u003c= 0.23.5)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","rce","azuracast","webserver"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eAzuraCast, a self-hosted web radio management suite, is susceptible to a critical path traversal vulnerability (CVE-2026-42605) in its Flow.js media upload endpoint (\u003ccode\u003e/api/station/{station_id}/files/upload\u003c/code\u003e). This flaw allows an authenticated user with media management permissions, such as a DJ or station manager, to bypass file storage directory restrictions. By manipulating the \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameter during file uploads, attackers can write arbitrary files to locations outside the intended media directory. The vulnerability is present in versions up to and including 0.23.5, and exploitation leads to remote code execution via PHP webshell upload, potentially resulting in full server compromise. The default local filesystem storage backend is required for exploitation; S3 or remote storage is not vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the AzuraCast web interface with a valid user account that has the \u003ccode\u003eStationPermissions::Media\u003c/code\u003e permission (e.g., DJ or Station Manager).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/station/{station_id}/files/upload\u003c/code\u003e endpoint, targeting a station that uses local storage.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameter containing path traversal sequences (e.g., \u003ccode\u003e../../../../../var/azuracast/www/public\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request also includes a PHP webshell file (\u003ccode\u003eshell.php\u003c/code\u003e) as the \u003ccode\u003efile_data\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe server-side code in \u003ccode\u003eFlowUploadAction.php\u003c/code\u003e concatenates the unsanitized \u003ccode\u003ecurrentDirectory\u003c/code\u003e value with the sanitized filename.\u003c/li\u003e\n\u003cli\u003eThe server attempts to process the uploaded file, but the \u003ccode\u003e.php\u003c/code\u003e extension triggers a \u003ccode\u003eCannotProcessMediaException\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efinally\u003c/code\u003e block in \u003ccode\u003eMediaProcessor.php\u003c/code\u003e executes, calling \u003ccode\u003eLocalFilesystem::upload()\u003c/code\u003e to copy the file to the concatenated path, bypassing normal path sanitization due to \u003ccode\u003ePathPrefixer::prefixPath()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe webshell is written to the web root, allowing the attacker to execute arbitrary commands by accessing the webshell via HTTP.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the AzuraCast server. This can lead to full server compromise, including reading sensitive configuration files (database credentials, API keys), accessing all station data, modifying application code, and potentially escalating privileges to root. A DJ-level user, the lowest privileged role with media access, can achieve the equivalent of full system administrator access, resulting in data exfiltration and complete control over the AzuraCast instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-provided patch by sanitizing the \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameter in \u003ccode\u003eFlowUploadAction.php\u003c/code\u003e using \u003ccode\u003eUploadedFile::filterClientPath()\u003c/code\u003e to prevent path traversal.\u003c/li\u003e\n\u003cli\u003eImplement path normalization in \u003ccode\u003eLocalFilesystem::upload()\u003c/code\u003e to prevent traversal even after concatenation, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AzuraCast Webshell Upload via Path Traversal\u0026rdquo; to identify exploitation attempts based on suspicious \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for access to unusual PHP files in the web root directory, such as \u003ccode\u003eshell.php\u003c/code\u003e as described in the PoC.\u003c/li\u003e\n\u003cli\u003eEnsure that AzuraCast instances do not grant excessive permissions to users; minimize the number of accounts with \u003ccode\u003eStationPermissions::Media\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azuracast-rce/","summary":"AzuraCast is vulnerable to path traversal in the Flow.js media upload endpoint, allowing authenticated users with media permissions to write arbitrary files, leading to remote code execution via PHP webshell upload.","title":"AzuraCast Path Traversal Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-azuracast-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7213"}],"_cs_exploited":false,"_cs_products":["MLOps_MCP 1.0.0"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve-2026-7213"],"_cs_type":"advisory","_cs_vendors":["ef10007"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7213, has been discovered in ef10007 MLOps_MCP version 1.0.0. The vulnerability resides within the \u003ccode\u003efastmcp_server.py\u003c/code\u003e file of the \u003ccode\u003esave_file Tool\u003c/code\u003e component. It allows a remote attacker to perform path traversal by manipulating the \u003ccode\u003efilename/destination\u003c/code\u003e argument. The existence of a public exploit increases the risk of exploitation. The vendor has been notified but has not yet responded, leaving users vulnerable to potential attacks. This vulnerability poses a significant risk to systems utilizing the affected MLOps_MCP instance, potentially leading to unauthorized file access, modification, or even execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an instance of MLOps_MCP version 1.0.0 accessible remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003efastmcp_server.py\u003c/code\u003e file of the \u003ccode\u003esave_file Tool\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker manipulates the \u003ccode\u003efilename/destination\u003c/code\u003e argument to include a path traversal sequence (e.g., \u003ccode\u003e../../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe MLOps_MCP application processes the crafted request without proper validation of the supplied path.\u003c/li\u003e\n\u003cli\u003eThe application attempts to save the file to the attacker-specified path, traversing directories outside the intended storage location.\u003c/li\u003e\n\u003cli\u003eDepending on the server\u0026rsquo;s permissions, the attacker may be able to overwrite existing files or create new files in arbitrary locations.\u003c/li\u003e\n\u003cli\u003eIf the attacker overwrites a critical system file, it can lead to denial of service.\u003c/li\u003e\n\u003cli\u003eIf the attacker uploads and executes a malicious script, it can lead to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability (CVE-2026-7213) can lead to unauthorized file access, modification, or creation on the affected system. An attacker could potentially overwrite critical system files, leading to denial-of-service conditions. Furthermore, the attacker might be able to upload and execute malicious scripts, resulting in complete system compromise. The CVSS v3.1 base score of 7.3 indicates a high level of severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect MLOps_MCP Path Traversal Attempt\u003c/code\u003e to your SIEM to detect path traversal attempts targeting \u003ccode\u003efastmcp_server.py\u003c/code\u003e based on HTTP request parameters.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures on the \u003ccode\u003efilename/destination\u003c/code\u003e argument within the \u003ccode\u003esave_file Tool\u003c/code\u003e component to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..\\\\\u003c/code\u003e) as detected by the \u003ccode\u003eDetect Web Server Path Traversal\u003c/code\u003e rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-mlops-mcp-path-traversal/","summary":"A path traversal vulnerability exists in ef10007 MLOps_MCP version 1.0.0, allowing a remote attacker to manipulate the 'filename/destination' argument in the 'save_file Tool' component's 'fastmcp_server.py' file.","title":"MLOps_MCP Path Traversal Vulnerability (CVE-2026-7213)","url":"https://feed.craftedsignal.io/briefs/2024-01-mlops-mcp-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7400"}],"_cs_exploited":false,"_cs_products":["filesystem-mcp-server"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","cve-2026-7400"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical path traversal vulnerability, identified as CVE-2026-7400, affects geekgod382 filesystem-mcp-server version 1.0.0. This vulnerability resides within the \u003ccode\u003eis_path_allowed\u003c/code\u003e function in the \u003ccode\u003eserver.py\u003c/code\u003e file, specifically in the \u003ccode\u003eread_file_tool/write_file_tool\u003c/code\u003e component. A remote attacker can exploit this weakness to bypass intended access restrictions and potentially read or write sensitive files outside the designated directories. Publicly available exploit code exists, increasing the urgency for remediation. Upgrade to version 1.1.0 to apply the patch (45364545fc60dc80aadcd4379f08042d3d3d292e) and mitigate this risk. This vulnerability allows attackers to potentially gain unauthorized access to the underlying system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of \u003ccode\u003efilesystem-mcp-server\u003c/code\u003e version 1.0.0 exposed to the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003eread_file_tool\u003c/code\u003e or \u003ccode\u003ewrite_file_tool\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a path traversal sequence (e.g., \u003ccode\u003e../\u003c/code\u003e) within the file path parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eis_path_allowed\u003c/code\u003e function fails to properly sanitize the input path, allowing the traversal sequence to bypass intended restrictions.\u003c/li\u003e\n\u003cli\u003eThe application processes the request, accessing a file outside the intended directory.\u003c/li\u003e\n\u003cli\u003eIf using \u003ccode\u003eread_file_tool\u003c/code\u003e, the contents of the unauthorized file are returned to the attacker.\u003c/li\u003e\n\u003cli\u003eIf using \u003ccode\u003ewrite_file_tool\u003c/code\u003e, the attacker can overwrite legitimate files, potentially injecting malicious code.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to read sensitive information or achieve arbitrary code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability (CVE-2026-7400) can allow an attacker to read arbitrary files from the affected server, potentially exposing sensitive data such as configuration files, credentials, or internal documents. If the write_file_tool is exploited, the attacker might overwrite critical system files, leading to denial of service or arbitrary code execution. This issue affects systems running geekgod382 filesystem-mcp-server version 1.0.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to geekgod382 filesystem-mcp-server version 1.1.0 to apply the patch (45364545fc60dc80aadcd4379f08042d3d3d292e) that fixes CVE-2026-7400.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;filesystem-mcp-server Path Traversal Attempt\u0026rdquo; to detect potential exploitation attempts against the filesystem-mcp-server.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences (\u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..\\\\\u003c/code\u003e) targeting file access endpoints, as this may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent path traversal attacks, even after upgrading, as defense-in-depth.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-filesystem-mcp-server-path-traversal/","summary":"A path traversal vulnerability exists in geekgod382 filesystem-mcp-server version 1.0.0 allowing remote attackers to access unauthorized files due to insufficient path validation in the is_path_allowed function.","title":"geekgod382 filesystem-mcp-server Path Traversal Vulnerability (CVE-2026-7400)","url":"https://feed.craftedsignal.io/briefs/2024-01-filesystem-mcp-server-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-43616"}],"_cs_exploited":false,"_cs_products":["Detect-It-Easy (DIE) \u003c 3.21"],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","archive-extraction"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDetect-It-Easy (DIE) is a program used to detect file types, unpackers, compilers, and crypto information. Versions prior to 3.21 are susceptible to a path traversal vulnerability (CVE-2026-43616). This vulnerability enables a malicious actor to write arbitrary files to the underlying filesystem by crafting archive entries with relative traversal sequences (e.g., \u0026ldquo;../../\u0026rdquo;) or absolute paths. This can be exploited by attackers by overwriting sensitive system files or user startup scripts, thus leading to persistent code execution. The vulnerability stems from insufficient path normalization during archive extraction.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious archive (e.g., ZIP, TAR) containing files with path traversal sequences in their filenames or absolute paths.\u003c/li\u003e\n\u003cli\u003eThe user executes Detect-It-Easy and loads the malicious archive for scanning.\u003c/li\u003e\n\u003cli\u003eDetect-It-Easy attempts to extract the files from the archive.\u003c/li\u003e\n\u003cli\u003eDue to insufficient path normalization, the application does not properly sanitize the file paths.\u003c/li\u003e\n\u003cli\u003eThe application writes files outside the intended extraction directory.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites a user startup script (e.g., .bashrc, .profile) with malicious code.\u003c/li\u003e\n\u003cli\u003eThe user logs in or starts a new shell session.\u003c/li\u003e\n\u003cli\u003eThe malicious code in the startup script executes, granting the attacker persistent access or executing arbitrary commands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write arbitrary files to the filesystem with the privileges of the user running Detect-It-Easy. This could lead to complete system compromise through persistent code execution. The impact includes potential data theft, malware installation, or denial of service. While the number of victims is not specified, any user running a vulnerable version of Detect-It-Easy is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Detect-It-Easy to version 3.21 or later to patch CVE-2026-43616.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect-It-Easy Suspicious Archive Extraction\u0026rdquo; to identify potential exploitation attempts by detecting the execution of Detect-It-Easy with archive files containing path traversal sequences.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events for suspicious file writes outside of expected directories, particularly in user startup script locations, to detect potential exploitation based on file_event logsource.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-detect-it-easy-path-traversal/","summary":"Detect-It-Easy versions prior to 3.21 are vulnerable to path traversal, allowing attackers to write arbitrary files to the filesystem and potentially achieve code execution by crafting malicious archive entries.","title":"Detect-It-Easy Path Traversal Vulnerability (CVE-2026-43616)","url":"https://feed.craftedsignal.io/briefs/2024-01-detect-it-easy-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["apko (\u003c 1.2.5)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","symlink","apko","vulnerability","CVE-2026-42574"],"_cs_type":"advisory","_cs_vendors":["Chainguard"],"content_html":"\u003cp\u003eA path traversal vulnerability exists in apko\u0026rsquo;s \u003ccode\u003eDirFS\u003c/code\u003e component, specifically within the \u003ccode\u003esanitizePath\u003c/code\u003e helper function in versions prior to 1.2.5. The vulnerability allows a malicious \u003ccode\u003e.apk\u003c/code\u003e file to install a \u003ccode\u003eTypeSymlink\u003c/code\u003e tar entry pointing outside the intended build root. Subsequent directory creation or file writing operations could then traverse this symbolic link, leading to unauthorized access and modification of files on the host system. This issue affects users of apko and downstream tools, such as melange, that embed vulnerable versions of the \u003ccode\u003epkg/apk/fs\u003c/code\u003e package. The vulnerability was addressed in apko version 1.2.5 with the introduction of \u003ccode\u003e*os.Root\u003c/code\u003e, which prevents path traversal.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003e.apk\u003c/code\u003e file containing a \u003ccode\u003eTypeSymlink\u003c/code\u003e tar entry.\u003c/li\u003e\n\u003cli\u003eThe symbolic link\u0026rsquo;s target is set to a path outside the intended build root, potentially targeting sensitive system directories.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003e.apk\u003c/code\u003e is processed using a vulnerable version of apko (prior to 1.2.5) via commands like \u003ccode\u003eapko build-cpio\u003c/code\u003e or through disk-backed consumers such as \u003ccode\u003emelange\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring tar extraction, the vulnerable \u003ccode\u003esanitizePath\u003c/code\u003e function fails to properly resolve or refuse the malicious symlink.\u003c/li\u003e\n\u003cli\u003eA subsequent directory-creation or file-write operation is initiated within the same or a later archive entry.\u003c/li\u003e\n\u003cli\u003eThe file operation traverses the previously created symbolic link, gaining access to the file system location outside the intended build root.\u003c/li\u003e\n\u003cli\u003eThe attacker can then create directories or write files to the compromised location, potentially overwriting critical system files or injecting malicious code.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation can lead to privilege escalation and persistent compromise of the host system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write files to arbitrary locations on the host system. This can lead to privilege escalation if the attacker can overwrite setuid binaries or modify system configuration files. It can also lead to persistent compromise of the system if the attacker injects malicious code into startup scripts or other system files. While the exact number of victims is unknown, any system running a vulnerable version of apko (prior to 1.2.5) or tools embedding vulnerable versions of \u003ccode\u003epkg/apk/fs\u003c/code\u003e, such as melange, is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade apko to version 1.2.5 or later. This version includes a fix that prevents path traversal vulnerabilities as described in the advisory and commit \u003ca href=\"https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442\"\u003ef5a96e1\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, avoid consuming APKs from untrusted sources. However, note that this does not fully eliminate the risk.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in sensitive directories for unexpected activity, especially after processing \u003ccode\u003e.apk\u003c/code\u003e files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-apko-path-traversal/","summary":"A symlink-following path traversal vulnerability exists in apko versions prior to 1.2.5 allowing a malicious .apk file to create a symbolic link pointing outside the build root and subsequently modify files on the host system.","title":"Apko DirFS Symlink Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-apko-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Path-Traversal","version":"https://jsonfeed.org/version/1.1"}