Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
prompts.chat prior to commit 0f8d4c3 contains a path traversal vulnerability in skill file handling that allows attackers to write arbitrary files to the client system by crafting malicious ZIP archives with unsanitized filenames containing path traversal sequences. Attackers can exploit missing server-side filename validation to inject path traversal sequences ../ into skill file archives, which when extracted by vulnerable tools write files outside the intended directory and overwrite shell initialization files to achieve code execution.
AnalysisAI
Path traversal in prompts.chat skill file extraction allows unauthenticated remote attackers to write arbitrary files and execute code on client systems through malicious ZIP archives. The vulnerability (CVSS 8.6) stems from missing server-side filename validation enabling ../ sequences in archive filenames that overwrite shell initialization files during extraction. VulnCheck identified this issue; vendor-released patch available in commit 0f8d4c3. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.
Technical ContextAI
This vulnerability affects prompts.chat (CPE: cpe:2.3:a:f:prompts.chat), a platform for managing AI prompt templates through 'skill files' distributed as ZIP archives. The root cause is CWE-22 (Path Traversal) in the file extraction mechanism. When processing skill file archives, the application fails to sanitize or validate filenames embedded within ZIP containers before extraction. ZIP file specifications allow arbitrary strings as internal filenames, including parent directory references (../) that navigate outside intended extraction directories. Without canonicalization or path boundary enforcement, extraction routines honor these sequences, enabling writes to arbitrary filesystem locations accessible to the extraction process. The CVSS v4.0 vector confirms network attack vector (AV:N), low complexity (AC:L), no privileges required (PR:N), but user interaction needed (UI:P), resulting in high confidentiality and integrity impact on the vulnerable system. The attack targets the client-side extraction phase rather than server infrastructure, making this a supply-chain style attack where malicious content is served through the legitimate platform.
RemediationAI
Vendor-released patch: commit 0f8d4c381abd7b2d7478c9fdee9522149c2d65e5 resolves the path traversal vulnerability by implementing filename sanitization in the skill file extraction process. Organizations should immediately update prompts.chat deployments to this commit or later versions from the official GitHub repository (https://github.com/f/prompts.chat/commit/0f8d4c381abd7b2d7478c9fdee9522149c2d65e5). Review pull request 1101 for implementation details and validation testing procedures. As an interim workaround pending patch deployment, restrict skill file imports to trusted sources only and implement application-layer controls to inspect ZIP archive contents before extraction, rejecting files containing ../ sequences or absolute paths. Consider deploying file extraction processes in sandboxed environments with restricted write permissions to limit arbitrary file write impact. Review system logs and shell initialization files (bashrc, profile, zshrc) for unauthorized modifications that may indicate prior exploitation.
More in Prompts Chat
View allAuthorization bypass vulnerabilities in prompts.chat (pre-commit 7b81836) expose private prompt data to unauthenticated
Identity confusion in prompts.chat (prior to commit 1464475) enables authenticated attackers to impersonate users and hi
Server-side request forgery (SSRF) in prompts.chat allows authenticated users to force the server to make arbitrary HTTP
Blind server-side request forgery in prompts.chat media generator allows authenticated users to manipulate the inputImag
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18821
GHSA-3pwg-7q4v-jff5