Scan free
HIGHCVE-2026-22685CVSS 8.8

CVE-2026-22685: Path Traversal in DevToys

Platform

other

Component

devtoys

Fixed in

2.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-22685 describes a Path Traversal vulnerability discovered in DevToys, a desktop application for developers. This flaw allows attackers to overwrite arbitrary files on a user’s system by crafting malicious extension packages. The vulnerability affects versions 2.0.0.0 through 2.0.8.0, and a fix is available in version 2.0.9.0.

Impact and Attack Scenarios

The core of this vulnerability lies in DevToys’ extension installation process. When handling NUPKG archive files, the application fails to adequately validate file paths within the archive. An attacker can exploit this by including specially crafted file entries, such as ../../…/target-file, within a malicious extension package. This bypasses the intended file extraction directory, allowing the attacker to write files to arbitrary locations on the user’s system. The potential impact is significant, as an attacker could overwrite critical system files, inject malicious code, or gain persistent access to the affected machine, effectively compromising the user’s environment. This is particularly concerning given DevToys' role as a developer tool, potentially granting access to sensitive project files and credentials.

Exploitation Context

CVE-2026-22685 was publicly disclosed on 2026-01-10. There is no indication of this vulnerability being actively exploited at this time, nor is it currently listed on CISA KEV. The EPSS score is likely to be low due to the lack of public exploits and the need for a crafted extension package, but the potential impact warrants attention. Public proof-of-concept code is not currently available.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.05% (14% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H8.8HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentdevtoys
VendorDevToys-app
Affected rangeFixed in
>= 2.0.0.0, < 2.0.9.0 – >= 2.0.0.0, < 2.0.9.02.0.1

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-22685 is to immediately upgrade DevToys to version 2.0.9.0 or later, which contains the necessary fix. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider isolating DevToys from untrusted networks and disabling the installation of extensions from unknown sources. While a direct WAF rule is unlikely, monitoring for unusual file creation activity within the DevToys installation directory could provide an early warning sign. After upgrading, verify the fix by attempting to install a known malicious extension package (in a controlled environment) and confirming that file extraction is restricted to the intended extensions directory.

How to fix

Update DevToys to version 2.0.9.0 or later. Download the latest version from the official website or through the update mechanism within the application. This corrects the path traversal vulnerability when installing extensions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-22685 — Path Traversal in DevToys?

CVE-2026-22685 is a Path Traversal vulnerability affecting DevToys versions 2.0.0.0 through 2.0.8.0, allowing attackers to overwrite files by crafting malicious extension packages.

Am I affected by CVE-2026-22685 in DevToys?

You are affected if you are using DevToys versions 2.0.0.0 to 2.0.8.0. Upgrade to 2.0.9.0 or later to mitigate the risk.

How do I fix CVE-2026-22685 in DevToys?

Upgrade DevToys to version 2.0.9.0 or later. If immediate upgrade is not possible, isolate DevToys and disable extension installation from untrusted sources.

Is CVE-2026-22685 being actively exploited?

There is currently no evidence of CVE-2026-22685 being actively exploited.

Where can I find the official DevToys advisory for CVE-2026-22685?

Refer to the official DevToys release notes and security advisories on the developer's website for the most up-to-date information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs