Which versions of ai-goofish-monitor are affected by CVE-2026-10044?

CVE-2026-10044 is a high-severity path traversal vulnerability (CVSS 8.2) enabling attackers to bypass file access controls through Windows absolute paths and backslash traversal, exposing systems to…. A patch is available.

Is there a public PoC exploit available for CVE-2026-10044?

Yes, a public proof-of-concept exploit is available for CVE-2026-10044. Prioritise patching immediately.

ai-goofish-monitor CVE-2026-10044

Q: What is the CVSS score of CVE-2026-10044?

CVE-2026-10044 has a CVSS 4.0 base score of 8.2 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2026-33061 HIGH

Absolute Path Traversal (CWE-36)

2026-05-28 VulnCheck

Path Traversal Microsoft

8.2

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 28, 2026 - 22:30 vuln.today

v3 (cvss_changed)

Analysis Updated

May 28, 2026 - 22:30 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 28, 2026 - 22:22 vuln.today

cvss_changed

CVSS changed

May 28, 2026 - 22:22 NVD

7.5 (HIGH) 8.2 (HIGH)

Source Code Evidence Fetched

May 28, 2026 - 21:52 vuln.today

Analysis Generated

May 28, 2026 - 21:52 vuln.today

CVE Published

May 28, 2026 - 21:02 nvd

HIGH 7.5

DescriptionNVD

Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vulnerability in the GET /api/prompts/{filename} endpoint on Windows deployments that allows unauthenticated remote attackers to read arbitrary files by supplying absolute Windows paths or backslash-based traversal sequences. Attackers can bypass the incomplete path traversal guard, which only blocks forward slashes and '..', by providing absolute paths such as Windows system file locations, causing os.path.join to discard the intended prompts directory prefix and expose files accessible to the application process.

AnalysisAI

{filename} endpoint. The flawed traversal guard only rejects forward slashes and '..' sequences, so absolute Windows paths or backslash traversal bypass it entirely. …

RemediationAI

Within 24 hours: Identify all systems running the affected application endpoint and review security logs for exploitation attempts. Within 7 days: Apply vendor patch to all affected systems following change management procedures; validate patch installation across the environment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory