Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API that allows remote attackers to write arbitrary files and achieve remote code execution.
AnalysisAI
Unauthenticated path traversal in FalkorDB Browser 1.9.3 file upload API enables remote attackers to write arbitrary files to the server filesystem and execute code without authentication. Attack vector is network-accessible with low complexity, requiring no user interaction. CVSS 9.8 critical severity reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.09%, 25th percentile).
Technical ContextAI
CWE-22 path traversal flaw in file upload handler fails to sanitize user-supplied path components, allowing directory traversal sequences (../) to escape intended upload directory. Unauthenticated access (PR:N) to network-exposed API endpoint converts file write primitive into remote code execution through upload of executable payloads or server-side scripts.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed. Review GitHub pull request #1611 at https://github.com/FalkorDB/falkordb-browser/pull/1611 for technical fix details and monitor FalkorDB repository for versioned release incorporating this security patch. Until patched version is deployed, disable file upload functionality entirely or restrict API access through network-layer controls permitting only authenticated, trusted sources. Implement strict input validation rejecting path traversal sequences and confine uploads to chroot jails. Consult NVD advisory https://nvd.nist.gov/vuln/detail/CVE-2026-6057 for vendor guidance.
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21358
GHSA-2987-f6gf-82vj