CVE-2026-48716

Name of the Vulnerable Software and Affected Versions nanobot versions prior to 0.1.5.post4

Description The WhatsApp bridge in bridge/src/whatsapp.ts constructs a filesystem path using the fileName field from an incoming WhatsApp document message without sanitization. The bridge downloads media attachments and writes them to disk using a filename derived from the sender's message via documentMessage.fileName, which is concatenated with a prefix and passed directly to the path.join() function. Because Node.js path.join() resolves .. components, an attacker can escape the intended media directory by sending a document with a crafted fileName. Since the attacker also controls the file content, this allows for an arbitrary file write on the system.

Recommendations Update to version 0.1.5.post4.