How to fix CVE-2026-32733?

CVE-2026-32733

MEDIUM

2026-03-20 GitHub_M

6.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 20, 2026 - 23:01 vuln.today

CVE Published

Mar 20, 2026 - 22:37 nvd

MEDIUM 6.5

Description

Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC user could send a filename with path traversal sequences like `../../.ssh/authorized_keys` and the file would be written outside the user's configured `save_directory`. With auto-accept enabled this required zero interaction from the victim. Starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, all identified code paths sanitize filenames through a shared `sanitize_filename` function.

Analysis

Halloy, a Rust-based IRC application, contains a path traversal vulnerability in its DCC (Direct Client-to-Client) receive functionality that fails to sanitize filenames from incoming DCC SEND requests prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6. Remote IRC users can exploit this vulnerability to write files outside the configured save directory using path traversal sequences like ../../.ssh/authorized_keys, potentially allowing arbitrary file placement on the victim's system with zero user interaction if auto-accept is enabled. …

Remediation

Within 30 days: Identify affected systems running Rust. and apply vendor patches as part of regular patch cycle. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +32

POC: 0

CVE-2026-32733 vulnerability details – vuln.today

Back

CVE-2026-32733

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-32733

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code