cbcvebase.

Dagu-Org Dagu vulnerabilities

3 known vulnerabilities affecting dagu-org/dagu.

Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2026-31882P3HIGHCVSS 7.5fixed in 2.2.42026-03-13
CVE-2026-31882 [HIGH] CWE-306 CVE-2026-31882: Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configure Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs
nvd
CVE-2026-27598P3MEDIUMCVSS 6.5v>= 2.0.0, < 2.3.12026-02-25
CVE-2026-27598 [MEDIUM] CWE-22 CVE-2026-27598: Dagu is a workflow engine with a built-in Web user interface. In versions up to and including 1.16.7 Dagu is a workflow engine with a built-in Web user interface. In versions up to and including 1.16.7, the `CreateNewDAG` API endpoint (`POST /api/v1/dags`) does not validate the DAG name before passing it to the file store. An authenticated user with DAG write permissions can write arbitrary YAML files anywhere on the filesystem (limited by the proce
nvd
CVE-2026-31886P3HIGHCVSS 7.6fixed in 2.2.42026-03-13
CVE-2026-31886 [HIGH] CWE-22 CVE-2026-31886: Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request f Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as "..
nvd
Dagu-Org Dagu vulnerabilities | cvebase