Skip to main content

Opendeck CVE-2026-28427

MEDIUM
Path Traversal (CWE-22)
2026-03-04 security-advisories@github.com
5.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
CVSS changed
Apr 21, 2026 - 15:22 NVD
5.9 (MEDIUM)
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
CVE Published
Mar 04, 2026 - 20:16 nvd
N/A

DescriptionGitHub Advisory

OpenDeck is Linux software for your Elgato Stream Deck. Prior to 2.8.1, the service listening on port 57118 serves static files for installed plugins but does not properly sanitize path components. By including ../ sequences in the request path, an attacker can traverse outside the intended directory and read any file OpenDeck can access. This vulnerability is fixed in 2.8.1.

AnalysisAI

OpenDeck is Linux software for your Elgato Stream Deck. versions up to 2.8.1 is affected by path traversal.

Technical ContextAI

This vulnerability (CWE-22: Path Traversal) affects OpenDeck is Linux software for your Elgato Stream Deck.. OpenDeck is Linux software for your Elgato Stream Deck. Prior to 2.8.1, the service listening on port 57118 serves static files for installed plugins but does not properly sanitize path components. By including ../ sequences in the request path, an attacker can traverse outside the intended directory and read any file OpenDeck can access. This vulnerability is fixed in 2.8.1.

RemediationAI

Fixed in version 2.8.1.. Validate and sanitize file path inputs. Use allowlists.

Share

CVE-2026-28427 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy