Which versions of DeepCode are affected by CVE-2026-32847?

CVE-2026-32847 is a high-severity vulnerability in the new_ui backend component that allows unauthenticated exploitation via a single HTTP request.

Is there a public PoC exploit available for CVE-2026-32847?

Yes, a public proof-of-concept exploit is available for CVE-2026-32847. Prioritise patching immediately.

DeepCode CVE-2026-32847

Q: What is the CVSS score of CVE-2026-32847?

CVE-2026-32847 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2026-33008 HIGH

Path Traversal (CWE-22)

2026-05-28 VulnCheck

Path Traversal

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

May 28, 2026 - 20:22 vuln.today

cvss_changed

CVSS changed

May 28, 2026 - 20:22 NVD

7.5 (HIGH) 8.7 (HIGH)

Analysis Generated

May 28, 2026 - 20:21 vuln.today

DescriptionNVD

DeepCode through commit c991dc2 contains a path traversal vulnerability in the SPA catch-all route in new_ui/backend/main.py that allows unauthenticated attackers to read arbitrary files by supplying percent-encoded path segments to the GET /{full_path:path} endpoint. Attackers can bypass Starlette's path normalization by encoding slashes as %2F and dots as %2E%2E, causing the joined path to traverse outside FRONTEND_DIST and exposing sensitive files such as SSH private keys, TLS certificates, and application secrets with a single HTTP request.

AnalysisAI

{full_path:path} in new_ui/backend/main.py. Publicly available exploit code exists (referenced in HKUDS/DeepCode issue #126 and a VulnCheck advisory), making opportunistic exploitation realistic against exposed instances. …

RemediationAI

Within 24 hours: Audit and restrict external network access to new_ui/backend services via firewall rules or security groups. Within 7 days: Deploy WAF signatures to block exploitation attempts using VulnCheck advisory patterns; enable detailed request logging for this component. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-32847 vulnerability details – vuln.today

Back

DeepCode CVE-2026-32847

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

DeepCode CVE-2026-32847

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code