CVE-2026-22685

CRITICAL EPSS 31.1%
Published Jan 10, 20265mo ago · Modified Jun 17, 20262w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Jan 10, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

DevToys is a desktop app for developers. In versions from 2.0.0.0 to before 2.0.9.0, a path traversal vulnerability exists in the DevToys extension installation mechanism. When processing extension packages (NUPKG archives), DevToys does not sufficiently validate file paths contained within the archive. A malicious extension package could include crafted file entries such as ../../…/target-file, causing the extraction process to write files outside the intended extensions directory. This flaw enables an attacker to overwrite arbitrary files on the user’s system with the privileges of the DevToys process. Depending on the environment, this may lead to code execution, configuration tampering, or corruption of application or system files. This issue has been patched in version 2.0.9.0.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
31.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 1

VendorProductVersionRange
devtoysdevtoys*≥2.0.1.0  –  <2.0.9.0

References 3

  • github.com https://github.com/DevToys-app/DevToys/commit/02fb7d46d9c663a4ee6ed968baa6a8810405047f
    Patch
  • github.com https://github.com/DevToys-app/DevToys/pull/1643
    Issue TrackingPatch
  • github.com https://github.com/DevToys-app/DevToys/security/advisories/GHSA-ggxr-h6fm-p2qh
    Vendor Advisory

Remediation

  • github.com https://github.com/DevToys-app/DevToys/commit/02fb7d46d9c663a4ee6ed968baa6a8810405047f
    Patch
  • github.com https://github.com/DevToys-app/DevToys/pull/1643
    Issue TrackingPatch