CVE-2026-32847

Name of the Vulnerable Software and Affected Versions DeepCode versions prior to commit c991dc2

Description A path traversal issue exists in the SPA catch-all route within new ui/backend/main.py. Unauthenticated attackers can read arbitrary files by providing percent-encoded path segments to the 'GET /{full path:path}' endpoint. By encoding slashes as %2F and dots as %2E%2E, the Starlette path normalization is bypassed, allowing the joined path to move outside the FRONTEND DIST directory. This can expose sensitive data, including SSH private keys, TLS certificates, and application secrets, via a single HTTP request.

Recommendations Update to a version containing commit c991dc2 or later.