High severity7.8NVD Advisory· Published Mar 3, 2026· Updated Apr 17, 2026
CVE-2026-28518
CVE-2026-28518
Description
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openvikingPyPI | <= 0.2.1 | — |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/volcengine/OpenViking/commit/46b3e76e28b9b3eee73693720c9ec48820228b72nvdPatchWEB
- www.vulncheck.com/advisories/openviking-ovpack-import-zip-slip-path-traversalnvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-rpqr-j937-6qr9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28518ghsaADVISORY
- github.com/volcengine/OpenViking/issues/342nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.