Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable mandate-commit flow with low complexity but requires an admitted caller (PR:L); impact is integrity/availability of trading (I:H/A:H) with no data disclosure (C:N).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Vibe-Trading before 0.1.10 builds the proposal file path by joining a caller-supplied proposal identifier onto the broker proposals directory without sanitization (agent/src/live/mandate/commit.py). A proposal identifier containing path traversal sequences causes the application to load an attacker-controlled JSON file as an authoritative live trading mandate. Combined with the file upload endpoint, an admitted caller can write a JSON file to a known location and traverse to it, and because the ceilings validation is skipped when ceilings are absent, the attacker fully controls the committed mandate.
AnalysisAI
Trading mandate forgery in HKUDS Vibe-Trading before 0.1.10 lets an admitted (low-privileged) caller supply a proposal identifier containing path traversal sequences so the application loads an attacker-controlled JSON file as an authoritative live trading mandate. Because ceiling/limit validation is skipped when ceilings are absent, the attacker fully controls the committed mandate, enabling unauthorized live trades. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: Identify all HKUDS Vibe-Trading deployments and confirm version numbers currently in use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Vibe Trading
View allRemote code execution in HKUDS Vibe-Trading before 0.1.10 is reachable via a DNS-rebinding attack against its local API
Path traversal in Vibe-Trading before version 0.1.10 allows low-privileged authenticated network attackers to write arbi
Path traversal in Vibe-Trading's swarm run directory handler allows low-privileged network attackers to read and overwri
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40351
GHSA-h9xw-f6mh-953j