Skip to main content

Apple CVE-2026-28373

| EUVDEUVD-2026-18801 CRITICAL
Path Traversal (CWE-22)
2026-04-03 cve@mitre.org GHSA-6c5f-m57x-3368
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 03, 2026 - 17:22 euvd
EUVD-2026-18801
Analysis Generated
Apr 03, 2026 - 17:22 vuln.today
CVE Published
Apr 03, 2026 - 17:16 nvd
CRITICAL 9.6

DescriptionCVE.org

The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal vulnerability in certain decryption functionality when processing the filePath property. A malicious export can write arbitrary content to any path on the victim's filesystem.

AnalysisAI

Stackfield Desktop App before version 1.10.2 for macOS and Windows allows arbitrary file writes to the filesystem through a path traversal vulnerability in its decryption functionality when processing the filePath property. A malicious export file can enable attackers to overwrite critical system or application files, potentially leading to code execution or application compromise without requiring user interaction beyond opening the malicious export.

Technical ContextAI

The vulnerability exists in the file decryption and export processing logic of Stackfield Desktop App. When the application decrypts exported data, it fails to properly validate and sanitize the filePath property before using it to write decrypted content to disk. This path traversal flaw allows an attacker to use directory traversal sequences (such as ../ or absolute paths) to write files outside the intended application directory to arbitrary locations on the victim's filesystem. The affected technology spans both the macOS and Windows versions of the desktop application, indicating a platform-agnostic implementation flaw in the file handling code. The vulnerability can be exploited through specially crafted export files that contain malicious filePath values during the decryption process.

RemediationAI

Users must upgrade Stackfield Desktop App to version 1.10.2 or later, which contains the fix for this path traversal vulnerability. The patched version properly validates and sanitizes the filePath property during the decryption process. Upgrade instructions and the patched version are available at https://www.stackfield.com/desktop-apps. Until patching is possible, users should avoid opening export files from untrusted sources and exercise caution when handling exported Stackfield data. Organizations should prioritize this upgrade across all affected systems, as the arbitrary file write capability presents a critical risk if exploited by malicious actors.

Share

CVE-2026-28373 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy