CVE-2026-1691
published 2026-01-30CVE-2026-1691: A vulnerability has been found in bolo-solo up to 2.6.4. This impacts the function importMarkdownsSync of the file…
PriorityP359high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.50%
38.9th percentile
A vulnerability has been found in bolo-solo up to 2.6.4. This impacts the function importMarkdownsSync of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component SnakeYAML. Such manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adlered | bolo-solo | <= 2.6.4 | — |
| adlered | bolo-solo | — | — |
| adlered | bolo-solo | — | — |
| adlered | bolo-solo | — | — |
| adlered | bolo-solo | — | — |
| adlered | bolo-solo | — | — |
| github.com | dagu-org_dagu | >= 1.30.4-0.20260221021317-e2ed589105d7 < 1.30.4-0.20260319093346-7d07fda8f9de | 1.30.4-0.20260319093346-7d07fda8f9de |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
ghsa7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG
ghsa·2026-03-19·CVSS 7.1
CVE-2026-33344 [HIGH] CWE-22 Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG
Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG
The fix for CVE-2026-27598 (commit e2ed589, PR #1691) added `ValidateDAGName` to `CreateNewDAG` and rewrote `generateFilePath` to use `filepath.Base`. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the `{fileName}` URL path parameter to `locateDAG` without calling `ValidateDAGName`. `%2F`-encoded forward slashes in the `{fileName}` segment traverse outside the DAGs directory.
### Vulnerable code
`internal/persis/filedag/store.go`, lines 508-513:
```go
func (store *Storage) locateDAG(nameOrPath string) (string, error) {
if strings.Contains(nameOrPath, string(filepath.Separator)) {
foundPath, err := findDAGFile(nameOrPath)
if err == nil {
GHSA
GHSA-g4hj-43hm-xfc7: A vulnerability has been found in bolo-solo up to 2
ghsa_unreviewed·2026-01-30
CVE-2026-1691 [MEDIUM] CWE-20 GHSA-g4hj-43hm-xfc7: A vulnerability has been found in bolo-solo up to 2
A vulnerability has been found in bolo-solo up to 2.6.4. This impacts the function importMarkdownsSync of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component SnakeYAML. Such manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-01-30
Published