PT-2026-41798 · Cloakhq+2 · Cloakbrowser
0Xlally
·
Published
2026-05-18
·
Updated
2026-06-01
·
CVE-2026-45727
CVSS v4.0
8.8
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
CloakBrowser versions prior to 0.3.28
Description
The
cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker with network access to the cloakserve port can provide a crafted fingerprint value containing path traversal sequences to resolve user data dir outside the configured data dir. When Chrome fails to start or the process is cleaned up, the shutil.rmtree() function deletes the traversed path, leading to arbitrary directory deletion. By default, cloakserve is bound to 0.0.0.0, which makes it exposed to the network.Recommendations
Update to version 0.3.28.
Restrict network access to the
cloakserve port.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cloakbrowser