CVE-2026-46402

Name of the Vulnerable Software and Affected Versions Microsoft UFO version 3.0.1-4-ge2626659

Description Microsoft UFO is an open-source framework for intelligent automation across devices and platforms. The software uses the user-controlled task name value directly when constructing session log paths. An authenticated client can supply path traversal sequences in the task name variable, allowing the creation of log directories and log files outside the intended 'logs/' directory. Path traversal is a technique used to access files and directories that are stored outside the web root folder by manipulating variables that reference files with dot-dot-slash (../) sequences.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.