CVE-2026-7271
Description
A vulnerability was detected in DV0x creative-ad-agent up to 751b9e5146604dc65049bd0f62dcbdad6212f8a3. Impacted is an unknown function of the file server/sdk-server.ts of the component creative-ad-agent-server. Performing a manipulation of the argument req.params results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The patch is named 3d255865a957f3740b8724dd914502c0f44d4970. Applying a patch is the recommended action to fix this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path traversal in creative-ad-agent server allows remote unauthenticated attackers to read arbitrary files via crafted route parameters.
Vulnerability
A path traversal vulnerability (CWE-22) exists in the creative-ad-agent-server component of the DV0x creative-ad-agent repository up to commit 751b9e5146604dc65049bd0f62dcbdad6212f8a3. The flaw resides in the /images/:sessionId?/:filename endpoint inside server/sdk-server.ts. User-supplied route parameters (req.params) are used to construct a filesystem path without validating that the resolved path stays within the intended generated-images directory [1][3].
Exploitation
An attacker with network access to the server can send HTTP requests containing encoded path traversal sequences (e.g., %2e%2e/) to read arbitrary files accessible to the server process. The exploit is publicly available in a bug report that includes curl commands demonstrating file reads outside the intended directory, including system files like /etc/hosts [3]. No authentication is required, and the attack can be executed remotely [1][3].
Impact
Successful exploitation allows an attacker to read sensitive files on the host system, including repository configuration, environment files, or other data accessible to the server process. The server may leak secrets or application source code, potentially leading to further compromise [1][3].
Mitigation
The maintainer has published a patch in commit 3d255865a957f3740b8724dd914502c0f44d4970 [2]. Applying this patch is the recommended action to fix the vulnerability. The project follows a rolling release model, so version numbers are not provided [1][2].
- GitHub - DV0x/creative-ad-agent: Multi-agent system for generating Meta/Instagram ad creatives using Claude SDK and Nano Banana MCP
- docs: Session 78B — close Session 77 handoff Gap #2 + Gap #4 · DV0x/creative-ad-agent@3d25586
- [BUG] Security: Path Traversal File Read Vulnerability in creative-ad-agent-server of Creative Ad Agent
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.