Home

Description

Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report. Version 2.38.0 fixes the issue.

PUBLISHED Reserved 2026-03-17 | Published 2026-03-20 | Updated 2026-03-24 | Assigner GitHub_M




HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

< 2.38.0
affected

References

github.com/...llure2/security/advisories/GHSA-64hm-gfwq-jppw

cve.org (CVE-2026-33166)

nvd.nist.gov (CVE-2026-33166)

Download JSON