CVE-2026-22685

Name of the Vulnerable Software and Affected Versions DevToys versions 2.0.0.0 through 2.0.8.0

Description DevToys, a desktop application for developers, contains a path traversal flaw in its extension installation process. When handling extension packages (NUPKG archives), the application inadequately validates file paths within the archive. A specially crafted extension package containing malicious file entries, such as ../../…/target-file, could allow an attacker to write files outside the intended extensions directory. This could lead to overwriting arbitrary files on the user’s system with the privileges of the DevToys process, potentially resulting in code execution, configuration changes, or data corruption. The vulnerability is triggered when processing extension packages and involves insufficient validation of file paths within the archive. The vulnerable component is the extension installation mechanism.

Recommendations DevToys versions 2.0.0.0 through 2.0.8.0 should be updated to version 2.0.9.0 or later.