CVE-2026-28518
HIGH
GHSA-rpqr-j937-6qr9
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.
Analysis
OpenViking 0.2.1 and earlier contain a path traversal vulnerability in .ovpack file imports that enables local attackers to write arbitrary files outside the intended directory by crafting malicious ZIP archives with traversal sequences or absolute paths. An attacker with user interaction can overwrite or create files with the privileges of the importing process, potentially leading to code execution or system compromise. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all systems running OpenViking 0.2.1 or earlier and isolate from production if possible; disable .ovpack import functionality if operationally feasible. Within 7 days: restrict file upload and import capabilities to trusted internal sources only; implement enhanced monitoring of file system write operations. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today