CVE-2026-28518

HIGH EPSS 7.8%
Published Mar 3, 20264mo ago · Modified Jun 17, 20262w ago
8.4 CVSS 4.0
High
Find Similar
Published Mar 3, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.

CVSS Details

Base Score
8.4
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
7.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 1

VendorProductVersionRange
volcengineopenviking* <0.2.1

References 3

  • github.com https://github.com/volcengine/OpenViking/commit/46b3e76e28b9b3eee73693720c9ec48820228b72
    Patch
  • github.com https://github.com/volcengine/OpenViking/issues/342
    Issue Tracking
  • vulncheck.com https://www.vulncheck.com/advisories/openviking-ovpack-import-zip-slip-path-traversal
    PatchThird Party Advisory

Remediation

  • github.com https://github.com/volcengine/OpenViking/commit/46b3e76e28b9b3eee73693720c9ec48820228b72
    Patch
  • vulncheck.com https://www.vulncheck.com/advisories/openviking-ovpack-import-zip-slip-path-traversal
    PatchThird Party Advisory