Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Privileged control over the plugin input is required (PR:H) and traversal is straightforward (AC:L); the write executes as a higher-privileged service crossing a trust boundary, so S:C with full C/I/A impact.
Primary rating from Vendor (tenable).
CVSS VectorVendor: tenable
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A path traversal vulnerability in Tenable Agent 11.2.0 and 11.1.3 and lower allows a privileged attacker to write arbitrary files outside the intended plugin directory, potentially leading to remote code execution.
AnalysisAI
Arbitrary file write via path traversal in Tenable Agent 11.2.0 and 11.1.3 and earlier lets a privileged attacker escape the intended plugin directory and drop files at attacker-chosen paths, potentially escalating to remote code execution. The flaw is vendor-reported (Tenable TNS-2026-18) and affects the endpoint scanning agent that typically runs with elevated/service privileges. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already hold high privileges (CVSS PR:H) over the agent's file-write path - specifically the ability to supply or manipulate the plugin content/directory that Tenable Agent 11.2.0 or 11.1.3-and-lower unpacks, such as control of the linked management controller or a privileged local position on the host. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score is 9.4 (Critical) with vector AV:N/AC:L/AT:N/PR:H/UI:N and high impact to both the vulnerable system (VC/VI/VA:H) and subsequent systems (SC/SI/SA:H), reflecting a scope-changing compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has gained privileged control over an agent's update/plugin input (for example a compromised management link or local privileged foothold) supplies a plugin package containing '../' path components, causing the agent to write a malicious file outside the plugin directory into an auto-executed location. When that file is subsequently loaded by the privileged agent process, the attacker's code runs with the agent's elevated rights. … |
| Remediation | Upgrade Tenable Agent to the fixed release identified in Tenable's advisory TNS-2026-18 (https://www.tenable.com/security/tns-2026-18) - the input data names 11.2.0 and 11.1.3-and-lower as vulnerable but does not include an exact fixed version string, so confirm the patched build number directly from that advisory before deploying (do not assume a version). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Tenable Agent installations and document deployed versions across your infrastructure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43701
GHSA-h23h-6wgx-rvw7