cbcvebase.

Github.Com Dagu-Org Dagu vulnerabilities

3 known vulnerabilities affecting github.com/dagu-org_dagu.

Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH3

Vulnerabilities

Page 1 of 1
CVE-2026-33344P3HIGHCVSS 7.1≥ 1.30.4-0.20260221021317-e2ed589105d7, < 1.30.4-0.20260319093346-7d07fda8f9de2026-03-19
CVE-2026-33344 [HIGH] CWE-22 Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG The fix for CVE-2026-27598 (commit e2ed589, PR #1691) added `ValidateDAGName` to `CreateNewDAG` and rewrote `generateFilePath` to use `filepath.Base`. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the `{fileName}` URL
ghsaosv
CVE-2026-31886P3HIGHCVSS 7.1≥ 0, ≤ 2.2.42026-03-13
CVE-2026-31886 [HIGH] CWE-22 Dagu: Path Traversal via `dagRunId` in Inline DAG Execution Dagu: Path Traversal via `dagRunId` in Inline DAG Execution ## 1. Vulnerability Summary The `dagRunId` request field accepted by the inline DAG execution endpoints is passed directly into `filepath.Join` to construct a temporary directory path without any format validation. Go's `filepath.Join` resolves `..` segments lexically, so a caller can supply a value such as `".."` to redirect the computed director
ghsaosv
CVE-2026-27598P3HIGH≥ 0, ≤ 1.16.72026-02-24
CVE-2026-27598 [HIGH] CWE-22 Dagu: Path traversal in DAG creation allows arbitrary YAML file write outside DAGs directory Dagu: Path traversal in DAG creation allows arbitrary YAML file write outside DAGs directory The `CreateNewDAG` API endpoint (`POST /api/v1/dags`) does not validate the DAG name before passing it to the file store. While `RenameDAG` calls `core.ValidateDAGName()` to reject names containing path separators (line 273 in `dags.go`), `CreateNewDAG` skips this validation entirely
ghsaosv
Github.Com Dagu-Org Dagu vulnerabilities | cvebase