Skip to main content

DeepMyst Mysti CVE-2026-14611

| EUVDEUVD-2026-41610 MEDIUM
Exposure of Resource to Wrong Sphere (CWE-668)
2026-07-03 VulDB GHSA-fwpr-59hh-gr98
5.3
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-exploitable with low complexity; low privileges required per CVSS 4.0 source vector; confidentiality-only low impact consistent with CWE-668 resource exposure and no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 03, 2026 - 22:15 vuln.today

DescriptionCVE.org

A vulnerability has been found in DeepMyst Mysti up to 0.4.0. The affected element is the function initProjectMemory of the file src/managers/MemoryManager.ts of the component Per-Project Auto-Memory Handler. Such manipulation of the argument workspacePath leads to exposure of resource. The attack may be performed from remote. Upgrading to version 0.4.0 is sufficient to fix this issue. The name of the patch is 6d709229b5199f6769fb3cf763e5122dcc43c079. It is advisable to upgrade the affected component.

AnalysisAI

Information disclosure in DeepMyst Mysti's Per-Project Auto-Memory Handler allows low-privileged remote attackers to expose resources by supplying a manipulated workspacePath argument to the initProjectMemory function in src/managers/MemoryManager.ts. EUVD-2026-41610 confirms versions 0.1 through 0.4.0 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low privileges
Exploit
Send crafted workspacePath to initProjectMemory
Execution
Trigger CWE-668 resource boundary bypass
Impact
Read out-of-scope workspace resources

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold low-privileged authenticated access to the Mysti application (PR:L per the CVSS 4.0 vector); unauthenticated anonymous access is insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) describes a remotely exploitable, low-complexity flaw requiring low privileges, with impact limited to low confidentiality on the vulnerable system only. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker who holds low-privileged credentials on a Mysti instance crafts a request supplying a path-traversal or otherwise manipulated workspacePath value to the initProjectMemory function, causing the Per-Project Auto-Memory Handler to resolve and expose resources outside the intended project memory boundary. The attacker could then read file paths, project metadata, or other workspace artifacts they are not authorized to access. …
Remediation The upstream fix is delivered via GitHub PR #49 (https://github.com/DeepMyst/Mysti/pull/49) and commit 6d709229b5199f6769fb3cf763e5122dcc43c079. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14611 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy