High severity8.6NVD Advisory· Published Mar 20, 2026· Updated Apr 14, 2026

CVE-2026-33166

Description

Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report. Version 2.38.0 fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
io.qameta.allure:allure-generatorMaven	< 2.38.0	2.38.0

Affected products

Qameta/Allure Report
cpe:2.3:a:qameta:allure_report:*:*:*:*:*:*:*:*
Range: <2.38.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/allure-framework/allure2/security/advisories/GHSA-64hm-gfwq-jppwnvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-64hm-gfwq-jppwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-33166ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.559
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000