Home

Description

OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.

PUBLISHED Reserved 2026-02-27 | Published 2026-03-03 | Updated 2026-03-03 | Assigner VulnCheck




HIGH: 8.4CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version
affected

commit 46b3e76
unaffected

Credits

Chia Min Jun Lennon finder

References

github.com/volcengine/OpenViking/issues/342 exploit

github.com/volcengine/OpenViking/issues/342 issue-tracking

github.com/...ommit/46b3e76e28b9b3eee73693720c9ec48820228b72 patch

www.vulncheck.com/...g-ovpack-import-zip-slip-path-traversal third-party-advisory

cve.org (CVE-2026-28518)

nvd.nist.gov (CVE-2026-28518)

Download JSON