CVE-2026-28518
HIGH EPSS 7.8%
Published Mar 3, 20264mo ago · Modified Jun 17, 20262w ago
8.4 CVSS 4.0
Published Mar 3, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago
Description
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction A
Scope X
Threat Intelligence
EPSS Exploit Probability
7.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-22 Path Traversal Resource Mgmt
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| volcengine | openviking | * | <0.2.1 |
References 3
- github.com https://github.com/volcengine/OpenViking/commit/46b3e76e28b9b3eee73693720c9ec48820228b72
- github.com https://github.com/volcengine/OpenViking/issues/342
- vulncheck.com https://www.vulncheck.com/advisories/openviking-ovpack-import-zip-slip-path-traversal
Remediation
- github.com https://github.com/volcengine/OpenViking/commit/46b3e76e28b9b3eee73693720c9ec48820228b72
- vulncheck.com https://www.vulncheck.com/advisories/openviking-ovpack-import-zip-slip-path-traversal