CVE-2026-50877

Vulnerability

Zhoros SuperBin v1.0.0 contains a directory traversal vulnerability in its multiple-file download feature. The MultipleFileWriter in fileWriters.go creates ZIP entries using zipWriter.Create(fileHeader.Filename), where fileHeader.Filename is taken directly from the multipart upload filename without sanitization. This allows an attacker to supply filenames containing backslash traversal sequences (e.g., ..\..\poc.txt). On Unix-like servers, Go's multipart handling strips forward slashes but leaves backslashes intact, so the traversal string is preserved in the ZIP archive [1].

Exploitation

An attacker must be able to upload multiple files to SuperBin v1.0.0. The attacker crafts a multipart part whose filename includes backslash traversal, such as ..\..\superbin-poc.txt. After uploading, the attacker requests the ZIP download of those files. The generated ZIP contains an entry with the traversal-bearing name. When a Windows-style extractor (e.g., WinRAR, 7-Zip, or the built-in Windows ZIP handler) extracts the archive, it interprets the backslash as a path separator, causing the file to be written outside the intended extraction directory [1].

Impact

Successful exploitation results in arbitrary file placement on the filesystem of any user or system that extracts the malicious ZIP on Windows. The server-side upload and storage are not directly compromised; the impact is limited to downstream extraction. The attacker can overwrite or create files in arbitrary locations relative to the extraction directory, potentially leading to code execution or system compromise depending on the extraction context [1].

Mitigation

No fix has been disclosed in the available references as of the publication date. Users should avoid extracting SuperBin-generated ZIP archives on Windows systems, or use extraction tools that reject entries containing path traversal characters. Administrators may consider disabling the multiple-file download feature until a patch is released [1].