PT-2026-53922 · Hkuds · Vibe-Trading
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-58171
CVSS v3.1
4.2
Medium
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L |
Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in run dir (agent/src/swarm/store.py). A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary run.json files outside the runs directory and to overwrite existing run.json files at traversed locations.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vibe-Trading