Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-58171

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-30 Jun, 2026 | 15:54
Updated At-30 Jun, 2026 | 17:13
Rejected At-
Credits

Vibe-Trading < 0.1.10 - Path Traversal via Swarm Run Identifier

Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in run_dir (agent/src/swarm/store.py). A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary run.json files outside the runs directory and to overwrite existing run.json files at traversed locations.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:30 Jun, 2026 | 15:54
Updated At:30 Jun, 2026 | 17:13
Rejected At:
▼CVE Numbering Authority (CNA)
Vibe-Trading < 0.1.10 - Path Traversal via Swarm Run Identifier

Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in run_dir (agent/src/swarm/store.py). A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary run.json files outside the runs directory and to overwrite existing run.json files at traversed locations.

Affected Products
Vendor
HKUDS
Product
Vibe-Trading
Repo
https://github.com/HKUDS/Vibe-Trading
Default Status
unaffected
Versions
Affected
  • From 0 before 0.1.10 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Type: CWE
CWE ID: CWE-22
Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Metrics
VersionBase scoreBase severityVector
3.14.2MEDIUM
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
4.02.3LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Version: 3.1
Base score: 4.2
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Version: 4.0
Base score: 2.3
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Chia Min Jun Lennon
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/HKUDS/Vibe-Trading/releases/tag/v0.1.10
release-notes
https://github.com/HKUDS/Vibe-Trading/pull/258
issue-tracking
https://github.com/HKUDS/Vibe-Trading/commit/f45fd85392f07b5e404e41d4fcb0ef0d6c2f87ab
patch
https://www.vulncheck.com/advisories/vibe-trading-path-traversal-via-swarm-run-identifier
third-party-advisory
Hyperlink: https://github.com/HKUDS/Vibe-Trading/releases/tag/v0.1.10
Resource:
release-notes
Hyperlink: https://github.com/HKUDS/Vibe-Trading/pull/258
Resource:
issue-tracking
Hyperlink: https://github.com/HKUDS/Vibe-Trading/commit/f45fd85392f07b5e404e41d4fcb0ef0d6c2f87ab
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/vibe-trading-path-traversal-via-swarm-run-identifier
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:30 Jun, 2026 | 17:16
Updated At:30 Jun, 2026 | 18:16

Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in run_dir (agent/src/swarm/store.py). A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary run.json files outside the runs directory and to overwrite existing run.json files at traversed locations.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.02.3LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.14.2MEDIUM
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
N/A
Type: Secondary
Version: 4.0
Base score: 2.3
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 4.2
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-22Secondarydisclosure@vulncheck.com
CWE ID: CWE-22
Type: Secondary
Source: disclosure@vulncheck.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/HKUDS/Vibe-Trading/commit/f45fd85392f07b5e404e41d4fcb0ef0d6c2f87abdisclosure@vulncheck.com
N/A
https://github.com/HKUDS/Vibe-Trading/pull/258disclosure@vulncheck.com
N/A
https://github.com/HKUDS/Vibe-Trading/releases/tag/v0.1.10disclosure@vulncheck.com
N/A
https://www.vulncheck.com/advisories/vibe-trading-path-traversal-via-swarm-run-identifierdisclosure@vulncheck.com
N/A
Hyperlink: https://github.com/HKUDS/Vibe-Trading/commit/f45fd85392f07b5e404e41d4fcb0ef0d6c2f87ab
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/HKUDS/Vibe-Trading/pull/258
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/HKUDS/Vibe-Trading/releases/tag/v0.1.10
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.vulncheck.com/advisories/vibe-trading-path-traversal-via-swarm-run-identifier
Source: disclosure@vulncheck.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

6Records found

CVE-2026-58170
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-7.2||HIGH
EPSS-0.42% / 33.47%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 15:53
Updated-30 Jun, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vibe-Trading < 0.1.10 - Path Traversal in Proposal Identifier Allows Forging Live Trading Mandates

Vibe-Trading before 0.1.10 builds the proposal file path by joining a caller-supplied proposal identifier onto the broker proposals directory without sanitization (agent/src/live/mandate/commit.py). A proposal identifier containing path traversal sequences causes the application to load an attacker-controlled JSON file as an authoritative live trading mandate. Combined with the file upload endpoint, an admitted caller can write a JSON file to a known location and traverse to it, and because the ceilings validation is skipped when ceilings are absent, the attacker fully controls the committed mandate.

Action-Not Available
Vendor-HKUDS
Product-Vibe-Trading
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-48716
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.28% / 19.41%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 18:46
Updated-22 Jun, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
nanobot: Path traversal via unsanitized WhatsApp document fileName enables arbitrary file write

nanobot is a personal AI assistant. In versions 0.1.5.post3 and prior, the WhatsApp bridge in bridge/src/whatsapp.ts constructs a filesystem path using the fileName field from an incoming WhatsApp document message without sanitization. The WhatsApp bridge downloads media attachments and writes them to disk using a filename derived from the sender's message via documentMessage.fileName, which is concatenated with a prefix and its raw value is passed directly to path.join(mediaDir, outFilename). Node.js path.join resolves .. components, allowing an attacker to escape the intended media/ directory by sending a document with a crafted fileName such as ../../../.ssh/authorized_keys. Because the attacker also controls the file content (the downloaded buffer), this is a write-anywhere primitive — both path and content are attacker-controlled. A fix for this issue is planned for version 0.1.5.post4.

Action-Not Available
Vendor-HKUDS
Product-nanobot
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-40503
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-0.41% / 33.24%
||
7 Day CHG~0.00%
Published-16 Apr, 2026 | 00:08
Updated-23 Apr, 2026 | 19:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenHarness Path Traversal Information Disclosure via /memory show

OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that allows remote gateway users with chat access to read arbitrary files by supplying path traversal sequences to the /memory show slash command. Attackers can manipulate the path input parameter to escape the project memory directory and access sensitive files accessible to the OpenHarness process without filesystem containment validation.

Action-Not Available
Vendor-hkudsHKUDS
Product-openharnessOpenHarness
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-32847
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.38% / 29.59%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 19:32
Updated-23 Jun, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DeepCode 1.2.0 Path Traversal via SPA Catch-All Route in main.py

DeepCode through commit c991dc2 contains a path traversal vulnerability in the SPA catch-all route in new_ui/backend/main.py that allows unauthenticated attackers to read arbitrary files by supplying percent-encoded path segments to the GET /{full_path:path} endpoint. Attackers can bypass Starlette's path normalization by encoding slashes as %2F and dots as %2E%2E, causing the joined path to traverse outside FRONTEND_DIST and exposing sensitive files such as SSH private keys, TLS certificates, and application secrets with a single HTTP request.

Action-Not Available
Vendor-hkudsHKUDS
Product-deepcodeDeepCode
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-58173
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-6||MEDIUM
EPSS-0.31% / 22.45%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 15:55
Updated-30 Jun, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vibe-Trading < 0.1.10 - Path Traversal via Persistent Memory Type

Vibe-Trading before 0.1.10 contains a path traversal vulnerability that allows attackers to write files outside the intended memory root directory by supplying a malicious memory_type value containing path traversal sequences through the remember tool. Attackers can manipulate the memory_type parameter in the persistent memory store to cause the application to write arbitrary Markdown files to unintended locations on the filesystem.

Action-Not Available
Vendor-HKUDS
Product-Vibe-Trading
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-6773
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-0.17% / 6.64%
||
7 Day CHG~0.00%
Published-27 Jun, 2025 | 19:00
Updated-30 Jun, 2025 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HKUDS LightRAG File Upload document_routes.py upload_to_input_dir path traversal

A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to_input_dir of the file lightrag/api/routers/document_routes.py of the component File Upload. The manipulation of the argument file.filename leads to path traversal. It is possible to launch the attack on the local host. The identifier of the patch is 60777d535b719631680bcf5d0969bdef79ca4eaf. It is recommended to apply a patch to fix this issue.

Action-Not Available
Vendor-HKUDS
Product-LightRAG
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Details not found