Severity by source
AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H
Administrator must locally restore the archive (AV:L, PR:H, UI:R); arbitrary write causes integrity and availability harm but no direct data disclosure (C:N).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
K3s is a fully conformant production-ready Kubernetes distribution. Prior to 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1, a path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot. This vulnerability is fixed in 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1.
AnalysisAI
Arbitrary filesystem write via zip-slip in K3s etcd snapshot restoration affects all K3s versions prior to 1.35.3+k3s1, 1.34.6+k3s1, and v1.33.10+k3s1. A maliciously crafted zip archive with path-traversal entries in member filenames (e.g., '../../etc/cron.d/evil') can overwrite arbitrary files on the host filesystem when an administrator performs a compressed etcd snapshot restore. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concurrent conditions: (1) the attacker must be able to deliver a maliciously crafted zip archive to a K3s administrator, and (2) the administrator must actively execute an etcd snapshot restore operation using that archive. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.8 (Medium) accurately reflects the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with the ability to influence which etcd snapshot archive a K3s administrator restores - for example, by compromising a backup storage location, staging a malicious file on shared storage, or social-engineering the administrator - provides a crafted zip file containing entries with names like '../../var/spool/cron/root'. When the administrator executes the K3s etcd snapshot restore command against this archive, K3s extracts the malicious entry to the traversed path, potentially placing a cron job or overwriting a system binary that executes with root privileges on the next scheduled run or service restart. … |
| Remediation | Upgrade K3s to one of the vendor-released patched versions: 1.35.3+k3s1 (v1.35 branch), 1.34.6+k3s1 (v1.34 branch), or v1.33.10+k3s1 (v1.33 branch), as documented in the GitHub Security Advisory at https://github.com/k3s-io/k3s/security/advisories/GHSA-jxr7-mqhw-9p98. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39512
GHSA-jxr7-mqhw-9p98