Description
Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../). An attacker with file upload privileges could exploit this vulnerability.
Published: 2026-01-12
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Write
Action: Patch Immediately
AI Analysis

Impact

Gin‑vue‑admin <= v2.8.7 contains a path traversal flaw in the breakpoint resume upload feature. The API endpoint /fileUploadAndDownload/breakpointContinueFinish passes a fileName value directly to os.OpenFile() by concatenating it to the base directory ./fileDir/ without validating directory‑traversal characters. This allows an attacker to write a file to any directory on the server, potentially including executable or configuration files, which may compromise the system or result in unauthorized modifications. The defect maps to CWE-22 (Path Traversal) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

Affected Systems

The affected product is the Gin‑vue‑admin project from flipped‑aurora. Versions up to and including 2.8.7 are impacted. No other vendor or product variants are listed in the CNA data.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity, while the EPSS score of less than 1 % suggests that exploitation is uncommon but still possible, particularly where the API is exposed to non‑trusted parties. The vulnerability is not currently listed in CISA’s KEV catalog. An attacker would need access to the /fileUploadAndDownload/breakpointContinueFinish API with file‑upload privileges; the exploit does not require elevated permissions beyond those granted for successful uploads. Once exploited, the attacker could write arbitrary files onto the server filesystem, potentially affecting system operation or security.

Generated by OpenCVE AI on April 18, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the fix referenced in the official advisory or upgrade to a newer release of Gin‑vue‑admin that removes the vulnerable code.
  • If an upgrade is not immediately possible, disable the breakpoint resume upload feature or restrict it to a secure, whitelisted directory.
  • Implement validation that rejects file names containing '../' sequences and enforce accepted filename patterns before writing to disk.

Generated by OpenCVE AI on April 18, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3558-j79f-vvm6 Gin-vue-admin has arbitrary file upload vulnerability caused by path traversal
History

Thu, 12 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Gin-vue-admin Project
Gin-vue-admin Project gin-vue-admin
CPEs cpe:2.3:a:gin-vue-admin_project:gin-vue-admin:*:*:*:*:*:*:*:*
Vendors & Products Gin-vue-admin Project
Gin-vue-admin Project gin-vue-admin
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Tue, 13 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
Title The arbitrary file upload vulnerability caused by path traversal is on github.com/flipped-aurora/gin-vue-admin Gin-vue-admin has arbitrary file upload vulnerability caused by path traversal

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Flipped-aurora
Flipped-aurora gin-vue-admin
Vendors & Products Flipped-aurora
Flipped-aurora gin-vue-admin

Mon, 12 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Description Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../). An attacker with file upload privileges could exploit this vulnerability.
Title The arbitrary file upload vulnerability caused by path traversal is on github.com/flipped-aurora/gin-vue-admin
Weaknesses CWE-22
CWE-434
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Flipped-aurora Gin-vue-admin
Gin-vue-admin Project Gin-vue-admin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-13T19:15:06.777Z

Reserved: 2026-01-09T18:27:19.388Z

Link: CVE-2026-22786

cve-icon Vulnrichment

Updated: 2026-01-12T21:28:02.174Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T22:16:08.190

Modified: 2026-03-12T19:04:14.820

Link: CVE-2026-22786

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses