Skip to main content

BBOT EUVD-2026-37812

| CVE-2026-12565 MEDIUM
Path Traversal (CWE-22)
2026-06-17 BLSOPS GHSA-3vgw-585j-4m45
Path Traversal Debian Ubuntu Docker Bbot
5.3
CVSS 3.1 · Vendor: BLSOPS
Share

Severity by source

Vendor (BLSOPS) PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
5.3 MEDIUM

AV:N because BBOT fetches archives from internet targets; AC:H because exploitation requires GNU tar < 1.34 specifically; UI:R because a BBOT operator must initiate the scan; I:H for arbitrary out-of-directory file write; no confidentiality or availability impact from path traversal alone.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (BLSOPS).

CVSS VectorVendor: BLSOPS

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 23:01 vuln.today
Analysis Generated
Jun 17, 2026 - 23:01 vuln.today

DescriptionCVE.org

The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed. On systems with GNU tar < 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images), a malicious archive can write files outside the intended extraction directory.

AnalysisAI

Path traversal in BBOT's unarchive internal module enables a malicious archive hosted by attacker-controlled infrastructure to write files outside the intended extraction directory when BBOT runs on systems with GNU tar < 1.34. This vulnerability is a residual gap from CVE-2025-10284, which resolved git-specific RCE vectors but left the underlying archive extraction path validation entirely unimplemented, relying instead on inconsistent external tool behavior across platforms. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register attacker-controlled domain
Delivery
Host crafted archive with path-traversal entries
Exploit
BBOT operator scans attacker domain
Execution
unarchive module fetches and extracts archive
Persist
GNU tar < 1.34 writes file outside extraction root
Impact
Attacker achieves arbitrary file write on BBOT host
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) BBOT must be actively running a scan that encounters and processes an archive hosted by attacker-controlled infrastructure - BBOT does not passively expose a network service, so the operator must initiate a scan targeting a malicious domain or IP; (2) the host running BBOT must have GNU tar < 1.34 installed as the system tar, which is default on Ubuntu 20.04, Debian 10, CentOS 7, and Docker images built from these bases - systems with GNU tar >= 1.34 are not vulnerable to the path traversal write primitive; (3) the BBOT process must have filesystem write permissions to the directory targeted by the traversal path (e.g., the user's home directory, cron spool, or web root). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 5.3 (Medium) is consistent with the constraint that exploitation requires both GNU tar < 1.34 on the host (AC:H) and a BBOT operator who initiates a scan against attacker-controlled infrastructure (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a domain and hosts a web server that serves a crafted tar archive containing an entry with a path-traversal sequence such as '../../.ssh/authorized_keys' pointing to the attacker's public key. A BBOT operator runs a reconnaissance scan targeting the attacker-controlled domain; BBOT's unarchive module downloads and extracts the archive using GNU tar without validating extracted paths. …
Remediation The referenced upstream commit at https://github.com/blacklanternsecurity/bbot/commit/4fb38fd6e should be applied; however, no explicitly tagged patched release version is confirmed from the available data - the fix is available as a commit but a released version number has not been independently verified from the provided references. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53753 CRITICAL
9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-54352 CRITICAL
9.6 Jun 22

Arbitrary file read in Budibase self-hosted server (@budibase/server <= 3.39.0) allows an authenticated workspace builde
CVE-2026-56265 CRITICAL
9.3 Jun 21

Authentication bypass in Crawl4AI Docker API server (versions prior to 0.8.7) allows remote unauthenticated attackers to
CVE-2026-54232 HIGH
8.8 Jun 22

Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments
CVE-2026-53755 HIGH
8.6 Jun 16

Server-side request forgery in Crawl4AI's Docker API server (versions <= 0.8.8) allows unauthenticated remote attackers

Share

EUVD-2026-37812 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy