Skip to main content

Prompts Chat CVE-2026-22661

| EUVDEUVD-2026-18821 HIGH
Path Traversal (CWE-22)
2026-04-03 VulnCheck GHSA-3pwg-7q4v-jff5
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 03, 2026 - 20:45 euvd
EUVD-2026-18821
Analysis Generated
Apr 03, 2026 - 20:45 vuln.today
Patch released
Apr 03, 2026 - 20:45 nvd
Patch available
CVE Published
Apr 03, 2026 - 20:26 nvd
HIGH 8.6

DescriptionCVE.org

prompts.chat prior to commit 0f8d4c3 contains a path traversal vulnerability in skill file handling that allows attackers to write arbitrary files to the client system by crafting malicious ZIP archives with unsanitized filenames containing path traversal sequences. Attackers can exploit missing server-side filename validation to inject path traversal sequences ../ into skill file archives, which when extracted by vulnerable tools write files outside the intended directory and overwrite shell initialization files to achieve code execution.

AnalysisAI

Path traversal in prompts.chat skill file extraction allows unauthenticated remote attackers to write arbitrary files and execute code on client systems through malicious ZIP archives. The vulnerability (CVSS 8.6) stems from missing server-side filename validation enabling ../ sequences in archive filenames that overwrite shell initialization files during extraction. VulnCheck identified this issue; vendor-released patch available in commit 0f8d4c3. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.

Technical ContextAI

This vulnerability affects prompts.chat (CPE: cpe:2.3:a:f:prompts.chat), a platform for managing AI prompt templates through 'skill files' distributed as ZIP archives. The root cause is CWE-22 (Path Traversal) in the file extraction mechanism. When processing skill file archives, the application fails to sanitize or validate filenames embedded within ZIP containers before extraction. ZIP file specifications allow arbitrary strings as internal filenames, including parent directory references (../) that navigate outside intended extraction directories. Without canonicalization or path boundary enforcement, extraction routines honor these sequences, enabling writes to arbitrary filesystem locations accessible to the extraction process. The CVSS v4.0 vector confirms network attack vector (AV:N), low complexity (AC:L), no privileges required (PR:N), but user interaction needed (UI:P), resulting in high confidentiality and integrity impact on the vulnerable system. The attack targets the client-side extraction phase rather than server infrastructure, making this a supply-chain style attack where malicious content is served through the legitimate platform.

RemediationAI

Vendor-released patch: commit 0f8d4c381abd7b2d7478c9fdee9522149c2d65e5 resolves the path traversal vulnerability by implementing filename sanitization in the skill file extraction process. Organizations should immediately update prompts.chat deployments to this commit or later versions from the official GitHub repository (https://github.com/f/prompts.chat/commit/0f8d4c381abd7b2d7478c9fdee9522149c2d65e5). Review pull request 1101 for implementation details and validation testing procedures. As an interim workaround pending patch deployment, restrict skill file imports to trusted sources only and implement application-layer controls to inspect ZIP archive contents before extraction, rejecting files containing ../ sequences or absolute paths. Consider deploying file extraction processes in sandboxed environments with restricted write permissions to limit arbitrary file write impact. Review system logs and shell initialization files (bashrc, profile, zshrc) for unauthorized modifications that may indicate prior exploitation.

Share

CVE-2026-22661 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy