Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-exploitable with low complexity; low privileges required per CVSS 4.0 source vector; confidentiality-only low impact consistent with CWE-668 resource exposure and no scope change.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in DeepMyst Mysti up to 0.4.0. The affected element is the function initProjectMemory of the file src/managers/MemoryManager.ts of the component Per-Project Auto-Memory Handler. Such manipulation of the argument workspacePath leads to exposure of resource. The attack may be performed from remote. Upgrading to version 0.4.0 is sufficient to fix this issue. The name of the patch is 6d709229b5199f6769fb3cf763e5122dcc43c079. It is advisable to upgrade the affected component.
AnalysisAI
Information disclosure in DeepMyst Mysti's Per-Project Auto-Memory Handler allows low-privileged remote attackers to expose resources by supplying a manipulated workspacePath argument to the initProjectMemory function in src/managers/MemoryManager.ts. EUVD-2026-41610 confirms versions 0.1 through 0.4.0 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold low-privileged authenticated access to the Mysti application (PR:L per the CVSS 4.0 vector); unauthenticated anonymous access is insufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) describes a remotely exploitable, low-complexity flaw requiring low privileges, with impact limited to low confidentiality on the vulnerable system only. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker who holds low-privileged credentials on a Mysti instance crafts a request supplying a path-traversal or otherwise manipulated workspacePath value to the initProjectMemory function, causing the Per-Project Auto-Memory Handler to resolve and expose resources outside the intended project memory boundary. The attacker could then read file paths, project metadata, or other workspace artifacts they are not authorized to access. … |
| Remediation | The upstream fix is delivered via GitHub PR #49 (https://github.com/DeepMyst/Mysti/pull/49) and commit 6d709229b5199f6769fb3cf763e5122dcc43c079. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-668 – Exposure of Resource to Wrong Sphere
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41610
GHSA-fwpr-59hh-gr98