Skip to main content

OpenBullet2 EUVD-2026-35137

| CVE-2026-25559 HIGH
Path Traversal (CWE-22)
2026-06-08 VulnCheck GHSA-7h2f-7rvq-v94v
Path Traversal RCE Openbullet2
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 17:22 vuln.today
CVSS changed
Jun 08, 2026 - 17:22 NVD
8.8 (HIGH) 8.7 (HIGH)

DescriptionCVE.org

OpenBullet2 through version 0.3.2 contains a path traversal vulnerability in the wordlist endpoint that allows authenticated attackers to perform arbitrary file read, write, and delete operations by supplying unsanitized absolute paths to the upload handler and wordlist functions. Attackers can chain the file write and delete primitives to achieve remote code execution by manipulating critical system files such as /etc/passwd, with full system impact since the application runs as root by default.

AnalysisAI

Path traversal in OpenBullet2 through 0.3.2 lets authenticated attackers read, write, and delete arbitrary files via the wordlist endpoint, escalating to remote code execution by tampering with system files like /etc/passwd. Because the application runs as root by default, successful exploitation yields full system compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed OpenBullet2 instance
Delivery
Obtain low-privileged credentials or bypass auth
Exploit
Send crafted wordlist upload with absolute path
Execution
Write malicious file as root (e.g. /etc/passwd or cron job)
Persist
Trigger execution via cron or login
Impact
Gain root shell on host
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the OpenBullet2 HTTP API and an authenticated session against the wordlist endpoint (CVSS PR:L); no user interaction is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects network-reachable, low-complexity exploitation requiring only low privileges and no user interaction, with high impact across confidentiality, integrity, and availability - consistent with the described root-level RCE primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged OpenBullet2 account (or one obtained via the referenced auth-bypass write-up) sends an HTTP request to the wordlist upload handler with an absolute path such as /etc/passwd or /etc/cron.d/pwn, writing attacker-controlled content outside the intended wordlists directory. Because the daemon runs as root by default, the planted file is honored by the OS, granting interactive root access on the next cron tick or login attempt. …
Remediation No vendor-released patch identified at time of analysis for versions through 0.3.2; operators should monitor the OpenBullet2 GitHub project and the VulnCheck advisory (https://www.vulncheck.com/advisories/openbullet2-path-traversal-via-wordlist-endpoint) for a fixed release and upgrade to any version greater than 0.3.2 once published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all systems running OpenBullet2 and identify current versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-35137 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy