Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal vulnerability in certain decryption functionality when processing the filePath property. A malicious export can write arbitrary content to any path on the victim's filesystem.
AnalysisAI
Stackfield Desktop App before version 1.10.2 for macOS and Windows allows arbitrary file writes to the filesystem through a path traversal vulnerability in its decryption functionality when processing the filePath property. A malicious export file can enable attackers to overwrite critical system or application files, potentially leading to code execution or application compromise without requiring user interaction beyond opening the malicious export.
Technical ContextAI
The vulnerability exists in the file decryption and export processing logic of Stackfield Desktop App. When the application decrypts exported data, it fails to properly validate and sanitize the filePath property before using it to write decrypted content to disk. This path traversal flaw allows an attacker to use directory traversal sequences (such as ../ or absolute paths) to write files outside the intended application directory to arbitrary locations on the victim's filesystem. The affected technology spans both the macOS and Windows versions of the desktop application, indicating a platform-agnostic implementation flaw in the file handling code. The vulnerability can be exploited through specially crafted export files that contain malicious filePath values during the decryption process.
RemediationAI
Users must upgrade Stackfield Desktop App to version 1.10.2 or later, which contains the fix for this path traversal vulnerability. The patched version properly validates and sanitizes the filePath property during the decryption process. Upgrade instructions and the patched version are available at https://www.stackfield.com/desktop-apps. Until patching is possible, users should avoid opening export files from untrusted sources and exercise caution when handling exported Stackfield data. Organizations should prioritize this upgrade across all affected systems, as the arbitrary file write capability presents a critical risk if exploited by malicious actors.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18801
GHSA-6c5f-m57x-3368