CVE-2026-27884

Name of the Vulnerable Software and Affected Versions NetExec versions prior to 1.5.1

Description NetExec is a network execution tool. The spider plus module does not properly handle file paths when saving files from SMB shares, specifically failing to account for path traversal characters like ../ in Linux SMB shares. This allows an attacker to craft a filename containing these characters, potentially leading to arbitrary file overwrites or creation during file downloads performed by the spider plus module. The issue is addressed in version 1.5.1.

Recommendations Versions prior to 1.5.1 should be updated to version 1.5.1 or later. As a workaround, avoid running spider plus with DOWNLOAD=true against targets.