CVE-2026-28518

OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/volcengine/OpenViking/commit/46b3e76e28b9b3eee73693720c9ec48820228b72	Patch
https://github.com/volcengine/OpenViking/issues/342	Issue Tracking
https://www.vulncheck.com/advisories/openviking-ovpack-import-zip-slip-path-traversal	Patch Third Party Advisory
https://github.com/volcengine/OpenViking/issues/342	Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:volcengine:openviking:*:*:*:*:*:*:*:*

History

17 Apr 2026, 21:19

Type	Values Removed	Values Added
References	~~() https://github.com/volcengine/OpenViking/commit/46b3e76e28b9b3eee73693720c9ec48820228b72 -~~	() https://github.com/volcengine/OpenViking/commit/46b3e76e28b9b3eee73693720c9ec48820228b72 - Patch
References	~~() https://github.com/volcengine/OpenViking/issues/342 -~~	() https://github.com/volcengine/OpenViking/issues/342 - Issue Tracking
References	~~() https://www.vulncheck.com/advisories/openviking-ovpack-import-zip-slip-path-traversal -~~	() https://www.vulncheck.com/advisories/openviking-ovpack-import-zip-slip-path-traversal - Patch, Third Party Advisory
First Time		Volcengine Volcengine openviking
Summary		(es) Las versiones 0.2.1 y anteriores de OpenViking, corregidas en el commit 46b3e76, contienen una vulnerabilidad de salto de ruta en el manejo de importación de archivos .ovpack que permite a los atacantes escribir archivos fuera del directorio de importación previsto. Los atacantes pueden crear archivos ZIP maliciosos con secuencias de salto de ruta, rutas absolutas o prefijos de unidad en los nombres de los miembros para sobrescribir o crear archivos arbitrarios con los privilegios del proceso de importación.
CPE		cpe:2.3:a:volcengine:openviking::::::::

03 Mar 2026, 22:16

Type	Values Removed	Values Added
References	~~() https://github.com/volcengine/OpenViking/issues/342 -~~	() https://github.com/volcengine/OpenViking/issues/342 -

03 Mar 2026, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-03 15:16

Updated : 2026-04-17 21:19

NVD link : CVE-2026-28518

Mitre link : CVE-2026-28518

CVE.ORG link : CVE-2026-28518

JSON object : View

Products Affected

volcengine

openviking

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

7.8 /10