PT-2026-39730 · Crabbox · Crabbox

Published

2026-05-11

·

Updated

2026-06-25

·

CVE-2026-45224

CVSS v3.1

7.1

High

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Name of the Vulnerable Software and Affected Versions Crabbox versions prior to 0.9.0
Description A path traversal issue exists in the Islo provider's workspace path resolution. This allows attackers to use absolute or relative paths that resolve outside the intended '/workspace' directory. By crafting a malicious .crabbox.yaml or crabbox.yaml file containing traversal sequences, an attacker can cause arbitrary file deletion and overwriting when sync.delete is enabled. This occurs because the workspace preparation logic performs rm -rf and mkdir -p operations on the resolved path without adequate validation.
Recommendations Update to version 0.9.0 or later.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45224
GHSA-3CJV-H753-QF7H
GO-2026-5079

Affected Products

Crabbox