CVE-2026-58171

Publié : 30 juin 2026

Modifié : 30 juin 2026

Score CVSS

4.2

MEDIUM

Description détaillée

Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in run_dir (agent/src/swarm/store.py). A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary run.json files outside the runs directory and to overwrite existing run.json files at traversed locations.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

Références et Patchs

https://github.com/HKUDS/Vibe-Trading/commit/f45fd85392f07b5e404e41d4fcb0ef0d6c2f87ab https://github.com/HKUDS/Vibe-Trading/pull/258 https://github.com/HKUDS/Vibe-Trading/releases/tag/v0.1.10 https://www.vulncheck.com/advisories/vibe-trading-path-traversal-via-swarm-run-identifier

Dernières Vulnérabilités

CVE-2026-9836

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is affected by an information disclosure vulnerability.

VOIR DÉTAILS

CVE-2026-9002

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM.

VOIR DÉTAILS

CVE-2026-7874

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.

VOIR DÉTAILS