CVE-2026-57966 | Spice-vdagent: path traversal in file transfer via unsanitized filename

A path traversal vulnerability was found in spice-vdagent. This flaw allows a malicious or compromised SPICE host to write arbitrary files to any location on the guest operating system. This occurs because the filename provided by the SPICE host during file transfers is not properly sanitized before being used. An attacker could exploit this to write to sensitive locations with the privileges of the spice-vdagent process, typically the logged-in user. This issue requires the SPICE host to be untrusted or compromised for exploitation.

Published: 2026-06-29 Last update: 2026-07-07 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2026-57966 is rated Low Risk (18.8/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.14%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-57966

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-29 0.14%

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-57966

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
4.4 3.1 MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.
0.8 3.6 [email protected]

Weakness enumeration for CVE-2026-57966

GitHub Security Advisory for CVE-2026-57966

GHSA-gg66-359m-pmcc · Severity: medium — A path traversal vulnerability was found in spice-vdagent. This flaw allows a malicious or...

OS Trackers for CVE-2026-57966

vendor priority summary link
debian not yet assigned CVE-2026-57966 not yet assigned priority: Debian including 1 source packages (spice-vdagent), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 5. https://security-tracker.debian.org/tracker/CVE-2026-57966
suse high https://www.suse.com/security/cve/CVE-2026-57966/
ubuntu medium CVE-2026-57966 medium priority: Ubuntu including 1 source packages (spice-vdagent), 7 status rows across 7 suites (bionic, focal, jammy, noble, questing, resolute, upstream): needs-triage 7. https://ubuntu.com/security/CVE-2026-57966

Affected software / configurations for CVE-2026-57966

Vendor Product Version Raw CPE
redhat enterprise_linux 6.0 cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
redhat enterprise_linux 7.0 cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
redhat enterprise_linux 8.0 cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
redhat enterprise_linux 9.0 cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
redhat enterprise_linux 10.0 cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
spice-space spice-vdagent cpe:2.3:a:spice-space:spice-vdagent:-:*:*:*:*:*:*:*

References for CVE-2026-57966

cvelogic Threat Intelligence