Gin-vue-admin has arbitrary file upload vulnerability caused by path traversal

CVE-2026-22786 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Impact

Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory.

Path traversal vulnerabilities occur when a web application accepts user-supplied file paths without proper validation, allowing attackers to access or write files outside the intended directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../).

Notably, while the related makeFileContent function in the same file properly validates the fileName parameter by checking for .. sequences, the MakeFile function lacks this security control, indicating an inconsistent security implementation.

An attacker with file upload privileges (role ID 888 - super administrator) could exploit this vulnerability by:

First uploading file chunks through the /fileUploadAndDownload/breakpointContinue endpoint (which has proper validation)

Then calling the /fileUploadAndDownload/breakpointContinueFinish endpoint with a malicious fileName parameter containing path traversal sequences (e.g., ../../../tmp/malicious.txt)

This could lead to:
Arbitrary file creation, application process, Configuration file overwriting, Potential Remote Code Execution......

POC

  1. Use this endpoint to upload any files(include name or file types)
    <img width="1429" height="788" alt="Clipboard_Screenshot_1767755216" src="https://github.com/user-attachments/assets/516022d6-32af-4810-abd9-945cb0bc5ae5" />

  2. Then, the filename parameter here uses ../ to traverse to an arbitrary path.
    <img width="1445" height="306" alt="Clipboard_Screenshot_1767755256" src="https://github.com/user-attachments/assets/577aa1c1-9b26-4082-b431-f9dac1cdc307" />

  3. Proof
    <img width="837" height="843" alt="Clipboard_Screenshot_1767755312" src="https://github.com/user-attachments/assets/66f51049-8dc8-4c94-994e-a6d8bc1196a9" />

Patches

Please wait for the latest patch

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-01-13 19:15:13 UTC
Updated
2026-01-13 19:15:15 UTC
GitHub reviewed
2026-01-13 19:15:13 UTC
NVD published
2026-01-12 22:16:08 UTC

EPSS Score

Score Percentile
0.59% 68.97%

CVSS Scores

Base score Version Severity Vector
7.3 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:H)
High privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:H)
High availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.
Exploit maturity (threat) (E:P)
Proof-of-concept: public PoC exists; no reported exploitation and no known simplification tools.

Identifiers

Type Value
GHSA GHSA-3558-j79f-vvm6 ↗
CVE CVE-2026-22786 ↗

CWEs

CWE id Name
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-434 Unrestricted Upload of File with Dangerous Type

Credits

  • D0ub1e-D (coordinator)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/flipped-aurora/gin-vue-admin <= 2.8.7

References

cvelogic Threat Intelligence