CVE-2026-22786

Name of the Vulnerable Software and Affected Versions Gin-vue-admin versions prior to 2.8.8

Description Gin-vue-admin, a backstage management system based on vue and gin, contains a path traversal issue in the breakpoint resume upload functionality. The vulnerability exists because the MakeFile function in the breakpoint continue.go file directly concatenates the fileName parameter with the base directory path (./fileDir/) using os.OpenFile() without proper validation for directory traversal sequences, such as ../. An attacker with file upload privileges can exploit this to upload arbitrary files to any directory. The vulnerable API endpoint is /fileUploadAndDownload/breakpointContinueFinish. The fileName parameter is vulnerable.

Recommendations Update Gin-vue-admin to version 2.8.8 or later.