Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
Local D-Bus access requires an unprivileged local account so PR:L (not PR:N); low complexity, no UI; high availability from DoS, low C/I from config-driven side effects short of confirmed full RCE.
Primary rating from Vendor (suse).
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
Lifecycle Timeline
3DescriptionNVD
A path traversal attack when using a "configName" parameter in qSnapper before version 1.3.3 allowed a local attacker to use malicious config files for snapper and so cause a denial of service or potentially escalate privileges to root.
AnalysisAI
Local privilege escalation and denial of service in qSnapper before 1.3.3 stems from path traversal via the configName D-Bus parameter, allowing local attackers to point the snapper backend at attacker-controlled config files. Per the SUSE security review that produced coordinated fixes for CVE-2026-41045 through CVE-2026-41049, exploitation can crash the service or escalate to root through abuse of snapper configuration handling. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must have local D-Bus session access to the system bus on a host where the qSnapper privileged service is installed and running (typical on openSUSE/SLES desktops or servers using qSnapper for snapper management) and must supply a malicious configName value to a D-Bus method such as those accepting configName prior to the 1.3.3 validateConfigName() allowlist. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 base score is 7.3 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H) - local vector, low complexity, no privileges, no UI, with high availability impact and low confidentiality/integrity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local unprivileged user on a workstation running qSnapper invokes a vulnerable D-Bus method (for example a restore or diff call) supplying a configName containing path traversal sequences that resolves to an attacker-planted snapper config file in a world-writable location. The privileged qSnapper service loads that config and invokes snapper, which executes with root privileges using the attacker-controlled settings, producing a service crash or, depending on the config directives, code execution paths that lead to root. … |
| Remediation | Vendor-released patch: qSnapper 1.3.3 - upgrade immediately via the project release at https://github.com/presire/qSnapper/releases/tag/v1.3.3 or the distribution package once published per SUSE Bugzilla 1261889. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running qSnapper versions prior to 1.3.3 and determine operational criticality of affected systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in qSnapper's privileged D-Bus service (versions before 1.3.3) allows any local unprivileged user
Local privilege escalation in qSnapper D-Bus service before version 1.3.3 allows any unprivileged local user to invoke p
Local privilege escalation in presire qSnapper before 1.3.3 lets a low-privileged user bypass Polkit authentication in t
Unauthenticated local access to qSnapper's D-Bus snapshot diff interface before version 1.3.3 exposes read-protected fil
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: ImportantShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38263
GHSA-3hfq-9fxf-h35p