CVE-2026-32733

Name of the Vulnerable Software and Affected Versions Halloy versions prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6

Description Halloy, an IRC application written in Rust, had a flaw in its DCC receive flow. Before commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, filenames received through DCC SEND requests were not properly sanitized. This allowed a remote IRC user to potentially write files outside the user’s designated save directory by crafting filenames with path traversal sequences, such as ../../.ssh/authorized keys. If auto-accept was enabled, this could occur without any interaction from the victim. The issue stemmed from a lack of filename sanitization during the DCC receive process.

Recommendations Update Halloy to a version with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6 or later.