Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Vibe-Trading

Source -

CNA

CNA CVEs -

4

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
4Vulnerabilities found

CVE-2026-58173
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-6||MEDIUM
EPSS-0.31% / 22.45%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 15:55
Updated-30 Jun, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vibe-Trading < 0.1.10 - Path Traversal via Persistent Memory Type

Vibe-Trading before 0.1.10 contains a path traversal vulnerability that allows attackers to write files outside the intended memory root directory by supplying a malicious memory_type value containing path traversal sequences through the remember tool. Attackers can manipulate the memory_type parameter in the persistent memory store to cause the application to write arbitrary Markdown files to unintended locations on the filesystem.

Action-Not Available
Vendor-HKUDS
Product-Vibe-Trading
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-58171
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-2.3||LOW
EPSS-0.25% / 16.62%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 15:54
Updated-30 Jun, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vibe-Trading < 0.1.10 - Path Traversal via Swarm Run Identifier

Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in run_dir (agent/src/swarm/store.py). A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary run.json files outside the runs directory and to overwrite existing run.json files at traversed locations.

Action-Not Available
Vendor-HKUDS
Product-Vibe-Trading
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-58170
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-7.2||HIGH
EPSS-0.42% / 33.47%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 15:53
Updated-30 Jun, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vibe-Trading < 0.1.10 - Path Traversal in Proposal Identifier Allows Forging Live Trading Mandates

Vibe-Trading before 0.1.10 builds the proposal file path by joining a caller-supplied proposal identifier onto the broker proposals directory without sanitization (agent/src/live/mandate/commit.py). A proposal identifier containing path traversal sequences causes the application to load an attacker-controlled JSON file as an authoritative live trading mandate. Combined with the file upload endpoint, an admitted caller can write a JSON file to a known location and traverse to it, and because the ceilings validation is skipped when ceilings are absent, the attacker fully controls the committed mandate.

Action-Not Available
Vendor-HKUDS
Product-Vibe-Trading
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-58169
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-7.7||HIGH
EPSS-0.29% / 20.37%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 15:52
Updated-01 Jul, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vibe-Trading < 0.1.10 - Loopback Trust and Missing Host Validation Enable DNS-Rebinding Authentication Bypass and Remote Code Execution

Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP peer addresses for loopback clients combined with missing Host header validation while binding to 0.0.0.0 with credentialed CORS. Attackers can craft a malicious DNS rebinding page to issue authenticated requests to the local API server, reach the shell execution endpoint with a bash-enabled preset, and achieve remote code execution as the API process user while also overwriting LLM and data-source settings to exfiltrate credentials.

Action-Not Available
Vendor-HKUDS
Product-Vibe-Trading
CWE ID-CWE-346
Origin Validation Error