Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem image. An attacker can craft a malicious filesystem image with embedded /../ sequences in filenames that, when processed by tsk_recover, writes files outside the output directory, potentially achieving code execution by overwriting shell configuration or cron entries.
AnalysisAI
Path traversal in The Sleuth Kit (tsk_recover) through version 4.14.0 allows local attackers to write files outside intended recovery directories via malicious filesystem images. Crafted filenames with ../ sequences in processed disk images can overwrite arbitrary files, enabling potential code execution through shell configuration or cron file manipulation. Exploitation requires user interaction (processing attacker-supplied filesystem image). No public exploit identified at time of analysis.
Technical ContextAI
CWE-22 path traversal vulnerability in tsk_recover utility fails to sanitize directory traversal sequences embedded within filesystem metadata. When parsing crafted images containing /../ patterns in file/directory names, the tool performs unsafe path concatenation, writing recovered files to unvalidated locations on host filesystem. CVSS vector indicates local access with required user interaction (UI:P) and unauthenticated context (PR:N).
RemediationAI
Vendor-released patch: upstream fix available via GitHub commit a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b; released patched version not independently confirmed. Apply commit patch from https://github.com/sleuthkit/sleuthkit/commit/a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b or monitor vendor for packaged release. Workaround: Restrict tsk_recover processing to trusted filesystem images only, operate tool within isolated sandbox environments with constrained write permissions, and validate recovery output paths do not traverse parent directories. Review VulnCheck advisory at https://www.vulncheck.com/advisories/sleuth-kit-tsk-recover-path-traversal for additional guidance.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20759
GHSA-995r-jc2c-558w