cbcvebase.
CVE-2026-33344
published 2026-03-24

CVE-2026-33344: Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to…

PriorityP349high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.47%
37.1th percentile
Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
dagudagu>= 2.0.0 < 2.3.12.3.1
github.comdagu-org_dagu>= 1.30.4-0.20260221021317-e2ed589105d7 < 1.30.4-0.20260319093346-7d07fda8f9de1.30.4-0.20260319093346-7d07fda8f9de

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
ghsa7.1HIGH
osv7.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.