CVE-2026-6636

| EUVD-2026-23842 MEDIUM
2026-04-20 VulDB GHSA-42cc-jrr3-ghpw
Path Traversal Convert
5.3
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Apr 20, 2026 - 12:43 vuln.today
CVSS Changed
Apr 20, 2026 - 12:22 NVD
4.3 (MEDIUM) 5.3 (MEDIUM)

DescriptionNVD

A vulnerability was detected in p2r3 convert up to 6998584ace3e11db66dff0b423612a5cf91de75b. Affected is the function Bun.serve of the file buildCache.js of the component API. Performing a manipulation of the argument pathname results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Path traversal in p2r3 convert's Bun.serve API endpoint allows authenticated remote attackers to access arbitrary files on the server by manipulating the pathname parameter in buildCache.js. The vulnerability affects all versions up to commit 6998584ace3e11db66dff0b423612a5cf91de75b, with publicly available exploit code and no vendor patch forthcoming due to non-response from the maintainer. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-6636 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy