EUVD-2026-30715
GHSA-2c7p-5h72-cjj3
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
A vulnerability was identified in continuedev continue up to 1.2.22. This affects the function lsTool of the file core/tools/implementations/lsTool.ts of the component JSON-RPC Server. Such manipulation of the argument dirPath leads to path traversal. An attack has to be approached locally. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Path traversal in Continue 1.2.22 and earlier allows local authenticated attackers to read arbitrary files on the host system via crafted dirPath parameters to the lsTool function in the JSON-RPC server. The vulnerability has a publicly available exploit (GitHub Gist) but CVSS base score of 3.3 (Low) reflects limited impact due to local access requirement, low privilege requirement, and confidentiality-only impact with no integrity or availability consequences. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today