{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-19T21:56:14.484","vulnerabilities":[{"cve":{"id":"CVE-2026-28518","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-03-03T15:16:20.593","lastModified":"2026-06-17T10:28:47.120","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges."},{"lang":"es","value":"Las versiones 0.2.1 y anteriores de OpenViking, corregidas en el commit 46b3e76, contienen una vulnerabilidad de salto de ruta en el manejo de importación de archivos .ovpack que permite a los atacantes escribir archivos fuera del directorio de importación previsto. Los atacantes pueden crear archivos ZIP maliciosos con secuencias de salto de ruta, rutas absolutas o prefijos de unidad en los nombres de los miembros para sobrescribir o crear archivos arbitrarios con los privilegios del proceso de importación."}],"affected":[{"source":"disclosure@vulncheck.com","affectedData":[{"vendor":"Volcengine","product":"OpenViking","defaultStatus":"unaffected","repo":"https://github.com/volcengine/OpenViking","versions":[{"version":"0","lessThanOrEqual":"0.2.1","versionType":"semver","status":"affected"},{"version":"46b3e76e28b9b3eee73693720c9ec48820228b72","versionType":"git","status":"unaffected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-03T21:29:17.100250Z","id":"CVE-2026-28518","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:volcengine:openviking:*:*:*:*:*:*:*:*","versionEndExcluding":"0.2.1","matchCriteriaId":"E66C393D-9F4B-4DC0-BA3B-517F825A09FE"}]}]}],"references":[{"url":"https://github.com/volcengine/OpenViking/commit/46b3e76e28b9b3eee73693720c9ec48820228b72","source":"disclosure@vulncheck.com","tags":["Patch"]},{"url":"https://github.com/volcengine/OpenViking/issues/342","source":"disclosure@vulncheck.com","tags":["Issue Tracking"]},{"url":"https://www.vulncheck.com/advisories/openviking-ovpack-import-zip-slip-path-traversal","source":"disclosure@vulncheck.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/volcengine/OpenViking/issues/342","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Issue Tracking"]}]}}]}