CVE-2026-22786Path Traversal in Gin-vue-admin

CWE-22Path TraversalCWE-434Unrestricted File Upload6 documents5 sources
Severity
7.3HIGHNVD
EPSS
0.6%
top 30.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Flipped-aurora Gin-vue-adminGithub.com Flipped-aurora Gin-vue-adminGin-vue-admin Project Gin-vue-admin
Timeline
PublishedJan 12
Latest updateJan 23

Description

Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
Gin-vue-admin has arbitrary file upload vulnerability caused by path traversal in github.com/flipped-aurora/gin-vue-admin2026-01-23
GHSA
Gin-vue-admin has arbitrary file upload vulnerability caused by path traversal2026-01-13
OSV
Gin-vue-admin has arbitrary file upload vulnerability caused by path traversal2026-01-13
CVEList
Gin-vue-admin has arbitrary file upload vulnerability caused by path traversal2026-01-12

🕵️Threat Intelligence

1
Wiz
CVE-2026-22786 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-22786 — Path Traversal in Gin-vue-admin | cvebase