CVE-2026-46703

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. This issue has been patched in version 0.9.0.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/boxlite-ai/boxlite/releases/tag/v0.9.0
https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j
https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j

Configurations

No configuration.

History

11 Jun 2026, 14:16

Type	Values Removed	Values Added
References	~~() https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j -~~	() https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j -

10 Jun 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-10 23:16

Updated : 2026-06-11 15:21

NVD link : CVE-2026-46703

Mitre link : CVE-2026-46703

CVE.ORG link : CVE-2026-46703

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

9.6 /10