CVE-2026-3051
published 2026-02-24CVE-2026-3051: A vulnerability has been found in DataLinkDC dinky up to 1.2.5. The affected element is the function getProjectDir of the file…
PriorityP262high7.6CVSS 3.1
AVNACLPRLUINSUCLIHAL
EPSS
6.51%
92.9th percentile
A vulnerability has been found in DataLinkDC dinky up to 1.2.5. The affected element is the function getProjectDir of the file dinky-admin/src/main/java/org/dinky/utils/GitRepository.java of the component Project Name Handler. Such manipulation of the argument projectName leads to path traversal. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| datalinkdc | dinky | — | — |
| datalinkdc | dinky | — | — |
| datalinkdc | dinky | — | — |
| datalinkdc | dinky | — | — |
| datalinkdc | dinky | — | — |
| datalinkdc | dinky | — | — |
| dinky | dinky | <= 1.2.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/api/git/saveOrUpdate
urlhttps://github.com/AnalogyC0de/public_exp/issues/5
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Dinky Git Project name Parameter Directory Traversal Attempt (CVE-2026-3051)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/api/git/saveOrUpdate"; fast_pattern; http.request_body; content:"|22|name|22|"; pcre:"/^(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/AnalogyC0de/public_exp/issues/5; reference:cve,2026-3051; classtype:attempted-admin; sid:2067916; rev:1; metadata:affected_product Dinky, attack_target Web_Server, tls_state plaintext, created_at 2026_02_24, cve CVE_2026_3051, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_02_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Look for HTTP POST requests to the exact URI /api/git/saveOrUpdate (bsize:21) containing a JSON 'name' field (|22|name|22|) with path traversal sequences in the value — e.g., dot-dot-slash variants including URL-encoded forms (%2e, %2f, %5c).
- →The vulnerable code path is the getProjectDir function in GitRepository.java; the projectName argument is not sanitised before being used in path construction, enabling directory traversal from a remote, unauthenticated context. ↗
- →The Snort/Suricata rule targets plaintext (non-TLS) traffic only; ensure perimeter and internal sensors both inspect HTTP on all ports to $HOME_NET for this signature (sid:2067916).
- ·The Snort/Suricata PCRE uses the /R (relative) flag to match path traversal sequences within the request body relative to the |22|name|22| content match; ensure your IDS/IPS engine supports this flag correctly.
- ·The vendor did not respond to early disclosure; no official patch confirmation is available for Dinky up to 1.2.5, so the affected version range may extend further. ↗
CVSS provenance
nvdv3.17.6HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Dinky Git Project name Parameter Directory Traversal Attempt (CVE-2026-3051)
suricata·2026-02-24·CVSS 5.3
CVE-2026-3051 [MEDIUM] ET WEB_SPECIFIC_APPS Dinky Git Project name Parameter Directory Traversal Attempt (CVE-2026-3051)
ET WEB_SPECIFIC_APPS Dinky Git Project name Parameter Directory Traversal Attempt (CVE-2026-3051)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Dinky Git Project name Parameter Directory Traversal Attempt (CVE-2026-3051)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/api/git/saveOrUpdate"; fast_pattern; http.request_body; content:"|22|name|22|"; pcre:"/^(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/AnalogyC0de/public_exp/issues/5; reference:cve,2026-3051; classtype:attempted-admin; sid:2067916; rev:1; metadata:affected_product Dinky, attack_target Web_Server, tls_state plaintext, created_at 2026_02_24, cve CVE_2026_3051, deployment Perimeter,
No public exploits indexed.
No writeups or analysis indexed.
2026-02-24
Published