Platform
other
Component
openviking
Fixed in
0.2.2
CVE-2026-28518 describes a Path Traversal vulnerability discovered in OpenViking, a software package. This vulnerability allows attackers to write files outside the intended import directory, potentially leading to arbitrary code execution or data corruption. The vulnerability affects versions 0.2.1 and prior, and a fix is available in commit 46b3e76e28b9b3eee73693720c9ec48820228b72.
The primary impact of CVE-2026-28518 is the ability for an attacker to write arbitrary files on the system running OpenViking. This can be achieved by crafting malicious ZIP archives containing traversal sequences, absolute paths, or drive prefixes within member names during the .ovpack import process. Successful exploitation could allow an attacker to overwrite critical system files, inject malicious code, or gain unauthorized access to sensitive data. The blast radius extends to any system where OpenViking is deployed and processing untrusted .ovpack files. This vulnerability shares similarities with other path traversal exploits where attackers leverage file system navigation to bypass security controls.
CVE-2026-28518 was publicly disclosed on 2026-03-03. There is no indication of active exploitation or inclusion on the CISA KEV catalog at this time. Public proof-of-concept exploits are currently unavailable, but the vulnerability's nature makes it likely that such exploits will emerge. The vulnerability's ease of exploitation, combined with the potential impact, warrants careful monitoring and prompt patching.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-28518 is to immediately upgrade OpenViking to the version containing the fix, commit 46b3e76e28b9b3eee73693720c9ec48820228b72. If upgrading is not immediately feasible, consider implementing strict input validation on .ovpack files to prevent the inclusion of traversal sequences. Additionally, restrict file write permissions for the OpenViking import process to the intended import directory. Monitor system logs for unusual file creation or modification activity within the import directory. After upgrade, confirm the fix by attempting to import a crafted ZIP archive containing a path traversal sequence and verifying that the file is not written outside the intended directory.
Actualice OpenViking a la versión posterior al commit 46b3e76e28b9b3eee73693720c9ec48820228b72. Esto corrige la vulnerabilidad de path traversal al importar archivos .ovpack. Asegúrese de obtener la actualización desde la fuente oficial de Volcengine.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28518 is a Path Traversal vulnerability affecting OpenViking versions 0.2.1 and earlier, allowing attackers to write files outside the intended import directory via crafted ZIP archives.
You are affected if you are using OpenViking versions 0.2.1 or earlier. Upgrade to commit 46b3e76e28b9b3eee73693720c9ec48820228b72 to mitigate the risk.
Upgrade OpenViking to commit 46b3e76e28b9b3eee73693720c9ec48820228b72. Implement input validation and restrict file write permissions as temporary workarounds.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests potential for future exploitation.
Refer to the OpenViking project's official communication channels and repository for the latest advisory regarding CVE-2026-28518.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.