CVE-2026-42549

Name of the Vulnerable Software and Affected Versions Flight versions prior to 3.18.1

Description The make:controller CLI command allows arbitrary directory creation outside the project root. This occurs because the command calls mkdir(..., recursive: true) on a path constructed from a user-supplied controller name before class-name validation is performed. While the subsequent class-file write is rejected if the name contains /, the directory creation side effect is already committed, enabling path traversal via ../ sequences. On Windows systems, the `` separator provides an additional traversal surface. This issue can be exploited by local actors with access to the Flight CLI, such as on developer machines or shared CI build agents.

Recommendations Update to version 3.18.1.