Skip to main content

better-icons CVE-2026-15527

| EUVDEUVD-2026-43271 LOW
Path Traversal (CWE-22)
2026-07-13 VulDB GHSA-2gq8-477v-cpgh
1.9
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
1.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Local access with low privileges required to supply the icons_file argument; unchanged scope and limited CIA impact align with the CVSS 4.0 source vector.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 13, 2026 - 04:28 vuln.today
Severity Changed
Jul 13, 2026 - 04:22 NVD
MEDIUM LOW
CVSS changed
Jul 13, 2026 - 04:22 NVD
4.8 (MEDIUM) 1.9 (LOW)

DescriptionCVE.org

A vulnerability has been found in better-auth better-icons up to 1.0.5. This vulnerability affects unknown code of the component scan_project_icons/sync_icon. Such manipulation of the argument icons_file leads to path traversal. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Path traversal in better-auth/better-icons (versions up to and including 1.0.5) allows a local low-privileged attacker to manipulate the icons_file argument passed to the scan_project_icons/sync_icon component, escaping the intended directory boundary to read or write arbitrary files accessible to the process. A public proof-of-concept has been disclosed via GitHub issue #18, and the vendor has not yet responded to the responsible disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privilege shell access
Exploit
Invoke sync_icon or scan_project_icons with crafted icons_file path
Execution
Path traversal bypasses directory restriction
Impact
Read or overwrite files within process permission scope

Vulnerability AssessmentAI

Exploitation Exploitation requires local system access with at least low OS-level privileges (consistent with CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N) scores 1.9, placing this in the lowest severity tier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with low-level account access on a developer workstation or CI/CD runner where better-icons is installed invokes the sync_icon or scan_project_icons functionality, supplying an icons_file argument containing traversal sequences such as '../../../../etc/passwd' or a path pointing to sensitive configuration files. Because the argument is not sanitized, the process reads or overwrites the targeted file within the bounds of its own OS-level permissions. …
Remediation No vendor-released patch has been identified at the time of analysis; the vendor has not responded to the disclosure per the CVE description. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15527 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy