Skip to main content

AIL Framework EUVDEUVD-2026-38238

| CVE-2026-56448 HIGH
Path Traversal (CWE-22)
2026-06-22 CIRCL GHSA-j4qv-932q-xmx8
8.3
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.7 HIGH

Network-reachable web endpoint (AV:N), no special conditions (AC:L), requires AIL login (PR:L), no user interaction (UI:N); traversal reads files outside AIL's storage scope (S:C, C:H) with no write or DoS (I:N/A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (CIRCL).

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
P

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 14:05 vuln.today
Analysis Generated
Jun 22, 2026 - 14:05 vuln.today

DescriptionCVE.org

A path traversal vulnerability exists in AIL Framework before the release containing commit 0041456af25da0cdea1c1c4624e46baff2731d8f. An authenticated AIL user can supply crafted object identifiers through the investigation workflow to cause file paths to resolve outside the intended image, favicon, or screenshot storage directories. This may allow the attacker to download and read arbitrary files that are accessible to the AIL process.

The issue occurs because user-controlled path components were joined with application storage paths without verifying that the resolved path remained within the expected directory. The affected download functionality could then include the contents of such files in a generated archive.

AnalysisAI

Authenticated path traversal in AIL Framework (CIRCL's Analysis Information Leak threat-intel platform) lets a low-privileged user abuse the investigation workflow to read arbitrary files readable by the AIL process and exfiltrate them inside a generated archive. The flaw is fixed in commit 0041456af25da0cdea1c1c4624e46baff2731d8f, and no public exploit is identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged AIL credentials
Delivery
Access investigation workflow endpoint
Exploit
Submit crafted image/favicon/screenshot object id with ../ sequences
Execution
Bypass path containment in get_rel_path
Persist
Trigger download_objects archive build
Impact
Retrieve ZIP containing arbitrary files readable by AIL process

Vulnerability AssessmentAI

Exploitation Attacker must hold valid AIL Framework credentials (PR:L in the CVSS 4.0 vector) and reach the web UI's investigation workflow over the network; specifically, the attacker must be able to invoke the investigation registration/download endpoints in var/www/blueprints/investigations_b.py and supply a crafted 'id' parameter for an object of type image, favicon, or screenshot. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is meaningful but bounded: the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H demonstrates remote, low-complexity, low-privileged exploitation with high confidentiality impact on the vulnerable system and the subsequent host filesystem (scope-changed), with no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated AIL analyst (or an attacker who phished/obtained low-privilege AIL credentials) registers or interacts with an investigation and supplies a crafted object identifier containing traversal sequences (e.g., ../../../../etc/passwd) for an image, favicon, or screenshot object. AIL joins the supplied id onto the storage folder without canonicalization, resolves a file outside the intended directory, and the download_objects() routine includes that file's contents in the ZIP archive returned to the attacker. …
Remediation Upstream fix available (commit 0041456af25da0cdea1c1c4624e46baff2731d8f); a released patched version is not independently confirmed from the provided data, so pull the latest main/HEAD from https://github.com/ail-project/ail-framework or the next tagged release that includes this commit. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all AIL Framework instances, document current versions, and restrict low-privilege user permissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38238 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy