PT-2026-53922 · Hkuds · Vibe-Trading

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-58171

CVSS v3.1

4.2

Medium

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in run dir (agent/src/swarm/store.py). A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary run.json files outside the runs directory and to overwrite existing run.json files at traversed locations.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58171

Affected Products

Vibe-Trading