Skip to main content

creative-ad-agent CVE-2026-7271

| EUVDEUVD-2026-26042 MEDIUM
Path Traversal (CWE-22)
2026-04-28 cna@vuldb.com
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Apr 28, 2026 - 13:31 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 13:22 euvd
EUVD-2026-26042
Analysis Generated
Apr 28, 2026 - 13:22 vuln.today
CVE Published
Apr 28, 2026 - 13:19 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability was detected in DV0x creative-ad-agent up to 751b9e5146604dc65049bd0f62dcbdad6212f8a3. Impacted is an unknown function of the file server/sdk-server.ts of the component creative-ad-agent-server. Performing a manipulation of the argument req.params results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The patch is named 3d255865a957f3740b8724dd914502c0f44d4970. Applying a patch is the recommended action to fix this issue.

AnalysisAI

Path traversal in DV0x creative-ad-agent server component (up to commit 751b9e5146604dc65049bd0f62dcbdad6212f8a3) allows remote unauthenticated attackers to read arbitrary files via manipulation of req.params arguments in server/sdk-server.ts. Public exploit code is available. CVSS 5.5 reflects low confidentiality impact with network-accessible attack vector and no authentication requirement.

Technical ContextAI

The vulnerability exists in the creative-ad-agent-server component, specifically in the server/sdk-server.ts file where user-controlled request parameters (req.params) are processed without proper path validation. This is a classic path traversal flaw (CWE-22) where an attacker can use directory traversal sequences (e.g., '../../../') to navigate outside the intended directory scope and access arbitrary files on the server filesystem. The product uses a rolling release model with continuous delivery via Git commits rather than numbered version releases, making affected version tracking dependent on commit hashes.

RemediationAI

Apply the upstream patch commit 3d255865a957f3740b8724dd914502c0f44d4970 (available at https://github.com/DV0x/creative-ad-agent/commit/3d255865a957f3740b8724dd914502c0f44d4970) to remediate the path traversal flaw. Organizations using creative-ad-agent should pull the latest version from the repository to obtain this fix. As an interim compensating control pending patch deployment, restrict network access to the creative-ad-agent-server endpoint at the firewall or reverse proxy level to only trusted client IP addresses or subnets; this reduces attack surface while the fix is validated. Alternatively, if the server/sdk-server.ts endpoint is not required for production, disable or restrict the affected functionality until patching is complete. Review application logs for evidence of path traversal attempts (requests containing '../' sequences in parameters) to identify potential prior exploitation.

Share

CVE-2026-7271 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy