平台
go
组件
github.com/flipped-aurora/gin-vue-admin
修复版本
2.8.8
2.8.8
CVE-2026-22786 describes a Path Traversal vulnerability discovered in Gin-vue-admin, a Go-based admin panel. This flaw allows attackers to upload arbitrary files, potentially enabling remote code execution or data compromise. The vulnerability impacts versions of Gin-vue-admin before 2.8.8. A fix is available in version 2.8.8.
The arbitrary file upload capability afforded by CVE-2026-22786 presents a significant risk. An attacker could upload a malicious web shell, granting them remote command execution on the server hosting the Gin-vue-admin application. This could lead to complete system compromise, data exfiltration, and further lateral movement within the network. The impact is amplified if the application is deployed in a production environment with sensitive data or critical functionality. Successful exploitation could also allow an attacker to overwrite existing system files, leading to denial of service.
CVE-2026-22786 was publicly disclosed on January 23, 2026. Currently, no public proof-of-concept exploits are known. The EPSS score is pending evaluation. Given the nature of the vulnerability (arbitrary file upload), it is likely to become a target for exploitation once a readily available exploit is developed.
Organizations using Gin-vue-admin in production environments, particularly those with sensitive data or critical applications, are at risk. Environments with weak file upload validation or inadequate access controls are especially vulnerable. Shared hosting environments where multiple users have upload capabilities also face increased risk.
• go / server:
find /var/log/gin-vue-admin -type f -name '*.log' -print0 | xargs -0 grep -i 'file upload'• generic web:
curl -I <target_url>/upload | grep 'Content-Type'disclosure
漏洞利用状态
EPSS
0.59% (69% 百分位)
CISA SSVC
The primary mitigation for CVE-2026-22786 is to upgrade Gin-vue-admin to version 2.8.8 or later. If upgrading immediately is not feasible, implement temporary workarounds. Restrict the upload directory to a specific, isolated location. Thoroughly validate all uploaded filenames to prevent path traversal attempts, ensuring they do not contain characters like '..' or absolute paths. Consider implementing a Web Application Firewall (WAF) with rules to block suspicious file uploads. Monitor application logs for unusual file upload activity.
Actualice Gin-vue-admin a una versión posterior a la 2.8.7 que contenga la corrección para la vulnerabilidad de path traversal. Consulte el advisory de seguridad en GitHub para obtener más detalles y la versión corregida.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-22786 is a Path Traversal vulnerability in Gin-vue-admin versions before 2.8.8, allowing attackers to upload arbitrary files.
You are affected if you are using Gin-vue-admin versions prior to 2.8.8. Upgrade immediately to mitigate the risk.
Upgrade to version 2.8.8 or later. As a temporary workaround, restrict upload paths and validate filenames.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is likely to become a target.
Refer to the official Gin-vue-admin project repository and release notes for the latest security advisories.
上传你的 go.mod 文件,立即知道是否受影响。