Skip to main content

Falkordb Browser CVE-2026-6057

| EUVDEUVD-2026-21358 CRITICAL
Path Traversal (CWE-22)
2026-04-10 securin GHSA-2987-f6gf-82vj
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 10, 2026 - 09:45 euvd
EUVD-2026-21358
Analysis Generated
Apr 10, 2026 - 09:45 vuln.today
CVE Published
Apr 10, 2026 - 09:16 nvd
CRITICAL 9.8

DescriptionCVE.org

FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API that allows remote attackers to write arbitrary files and achieve remote code execution.

AnalysisAI

Unauthenticated path traversal in FalkorDB Browser 1.9.3 file upload API enables remote attackers to write arbitrary files to the server filesystem and execute code without authentication. Attack vector is network-accessible with low complexity, requiring no user interaction. CVSS 9.8 critical severity reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.09%, 25th percentile).

Technical ContextAI

CWE-22 path traversal flaw in file upload handler fails to sanitize user-supplied path components, allowing directory traversal sequences (../) to escape intended upload directory. Unauthenticated access (PR:N) to network-exposed API endpoint converts file write primitive into remote code execution through upload of executable payloads or server-side scripts.

RemediationAI

Upstream fix available (PR/commit); released patched version not independently confirmed. Review GitHub pull request #1611 at https://github.com/FalkorDB/falkordb-browser/pull/1611 for technical fix details and monitor FalkorDB repository for versioned release incorporating this security patch. Until patched version is deployed, disable file upload functionality entirely or restrict API access through network-layer controls permitting only authenticated, trusted sources. Implement strict input validation rejecting path traversal sequences and confine uploads to chroot jails. Consult NVD advisory https://nvd.nist.gov/vuln/detail/CVE-2026-6057 for vendor guidance.

Share

CVE-2026-6057 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy