Plattform
other
Komponente
openviking
Behoben in
0.2.2
CVE-2026-28518 describes a Path Traversal vulnerability discovered in OpenViking, a software package. This vulnerability allows attackers to write files outside the intended import directory, potentially leading to arbitrary code execution or data corruption. The vulnerability affects versions 0.2.1 and prior, and a fix is available in commit 46b3e76e28b9b3eee73693720c9ec48820228b72.
An attacker can exploit this path traversal vulnerability by crafting a malicious ZIP archive containing traversal sequences, absolute paths, or drive prefixes within member names. This allows them to overwrite or create arbitrary files with the privileges of the importing process. Successful exploitation could lead to arbitrary code execution, data corruption, or denial of service, depending on the files overwritten and the privileges of the OpenViking process. The impact is amplified if the OpenViking process runs with elevated privileges, potentially allowing attackers to compromise the entire system.
This vulnerability was publicly disclosed on 2026-03-03. There is no indication of active exploitation campaigns or a KEV listing at the time of writing. Public proof-of-concept exploits are not currently available, but the nature of path traversal vulnerabilities makes it likely that such exploits will emerge. The vulnerability's ease of exploitation warrants careful monitoring.
Organizations and individuals utilizing OpenViking for package management or deployment are at risk. This includes environments where .ovpack files are imported from untrusted sources or where the OpenViking process runs with elevated privileges. Shared hosting environments where multiple users share the same OpenViking instance are particularly vulnerable.
disclosure
Exploit-Status
EPSS
0.01% (0% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-28518 is to upgrade OpenViking to the version containing the fix (commit 46b3e76e28b9b3eee73693720c9ec48820228b72). If immediate upgrading is not possible, restrict access to the .ovpack import functionality to trusted sources only. Implement strict input validation on all files processed by OpenViking, specifically scrutinizing ZIP archive member names for traversal sequences. Consider using a Web Application Firewall (WAF) to filter potentially malicious ZIP files based on known patterns. After upgrade, confirm the fix by attempting to import a test ZIP archive with a known malicious path traversal sequence and verifying that the import fails with an appropriate error message.
Actualice OpenViking a la versión posterior al commit 46b3e76e28b9b3eee73693720c9ec48820228b72. Esto corrige la vulnerabilidad de path traversal al importar archivos .ovpack. Asegúrese de obtener la actualización desde la fuente oficial de Volcengine.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28518 is a Path Traversal vulnerability affecting OpenViking versions 0.2.1 and earlier, allowing attackers to write files outside the intended import directory via crafted ZIP archives.
You are affected if you are using OpenViking versions 0.2.1 or earlier. Upgrade to commit 46b3e76e28b9b3eee73693720c9ec48820228b72 to mitigate the risk.
Upgrade OpenViking to commit 46b3e76e28b9b3eee73693720c9ec48820228b72. Implement input validation and restrict file write permissions as temporary workarounds.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests potential for future exploitation.
Refer to the OpenViking project's official communication channels and repository for the latest advisory regarding CVE-2026-28518.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.