Platform
go
Component
github.com/flipped-aurora/gin-vue-admin
Fixed in
2.8.8
2.8.8
CVE-2026-22786 describes a Path Traversal vulnerability discovered in Gin-vue-admin, a Go-based admin panel. This flaw allows attackers to upload arbitrary files, potentially enabling remote code execution or data compromise. The vulnerability impacts versions of Gin-vue-admin before 2.8.8. A fix is available in version 2.8.8.
The arbitrary file upload capability afforded by CVE-2026-22786 presents a significant risk. An attacker could upload a malicious web shell, granting them remote command execution on the server hosting the Gin-vue-admin application. This could lead to complete system compromise, data exfiltration, and further lateral movement within the network. The impact is amplified if the application is deployed in a production environment with sensitive data or critical functionality. Successful exploitation could also allow an attacker to overwrite existing system files, leading to denial of service.
CVE-2026-22786 was publicly disclosed on January 23, 2026. Currently, no public proof-of-concept exploits are known. The EPSS score is pending evaluation. Given the nature of the vulnerability (arbitrary file upload), it is likely to become a target for exploitation once a readily available exploit is developed.
Exploit Status
EPSS
0.59% (69% percentile)
CISA SSVC
The primary mitigation for CVE-2026-22786 is to upgrade Gin-vue-admin to version 2.8.8 or later. If upgrading immediately is not feasible, implement temporary workarounds. Restrict the upload directory to a specific, isolated location. Thoroughly validate all uploaded filenames to prevent path traversal attempts, ensuring they do not contain characters like '..' or absolute paths. Consider implementing a Web Application Firewall (WAF) with rules to block suspicious file uploads. Monitor application logs for unusual file upload activity.
Update Gin-vue-admin to a version later than 2.8.7 that contains the fix for the path traversal vulnerability. See the security advisory on GitHub for more details and the patched version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22786 is a Path Traversal vulnerability in Gin-vue-admin versions before 2.8.8, allowing attackers to upload arbitrary files.
You are affected if you are using Gin-vue-admin versions prior to 2.8.8. Upgrade immediately to mitigate the risk.
Upgrade to version 2.8.8 or later. As a temporary workaround, restrict upload paths and validate filenames.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is likely to become a target.
Refer to the official Gin-vue-admin project repository and release notes for the latest security advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.