CVE-2026-12568

Name of the Vulnerable Software and Affected Versions Postman Download Module (affected versions not specified)

Description The postman download module fails to sanitize the workspace name field retrieved from the Postman API when constructing local directory paths. A malicious workspace name containing path traversal characters—a technique used to access files and directories outside the intended folder—allows the pathlib library to resolve paths outside the designated output directory, enabling an attacker to write arbitrary files to the user's system.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.