High severity7.8NVD Advisory· Published Mar 3, 2026· Updated Apr 17, 2026
CVE-2026-28518
CVE-2026-28518
Description
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openvikingPyPI | <= 0.2.1 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/volcengine/OpenViking/commit/46b3e76e28b9b3eee73693720c9ec48820228b72nvdPatchWEB
- www.vulncheck.com/advisories/openviking-ovpack-import-zip-slip-path-traversalnvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-rpqr-j937-6qr9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28518ghsaADVISORY
- github.com/volcengine/OpenViking/issues/342nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.