OpenBMB XAgent v1.0.0 and before is vulnerable to path traversal in the file() function in XAgent/XAgentServer/application/routers/workspace.py. The input parameter “filename” is user-controllable and is concatenated into the file path to be read without proper validation, leading to a directory traversal vulnerability that may result in sensitive information disclosure.
Metrics
Affected Vendors & Products
References
History
Mon, 13 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-22 | |
| Metrics |
cvssV3_1
|
Mon, 13 Jul 2026 19:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | OpenBMB XAgent v1.0.0 and before is vulnerable to path traversal in the file() function in XAgent/XAgentServer/application/routers/workspace.py. The input parameter “filename” is user-controllable and is concatenated into the file path to be read without proper validation, leading to a directory traversal vulnerability that may result in sensitive information disclosure. | |
| References |
|
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2026-07-13T19:45:59.471Z
Reserved: 2026-02-16T00:00:00.000Z
Link: CVE-2026-26396
Updated: 2026-07-13T19:45:54.607Z
No data.
No data.
OpenCVE Enrichment
No data.