Description
The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal vulnerability in certain decryption functionality when processing the filePath property. A malicious export can write arbitrary content to any path on the victim's filesystem.
Published: 2026-04-03
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a directory traversal flaw in the decryption logic that handles the filePath property of exported files. When the Stackfield Desktop App processes a crafted export with a specially formatted filePath, the application writes the export’s content to an arbitrary location on the host file system. This allows an attacker to create or overwrite any file, including system binaries or configuration files, thereby compromising the integrity and potentially the availability of the compromised machine.

Affected Systems

Stackfield Desktop App versions prior to 1.10.2 on both macOS and Windows are affected. Versions 1.10.2 and later are not vulnerable.

Risk and Exploitability

With a CVSS score of 9.6 the flaw is considered critical. No EPSS score is available, and it is not yet listed in the CISA KEV catalog. The likely attack path requires an attacker to supply a malicious export file that the victim opens or imports. This is inferred from the description, as the vulnerability is triggered by processing the filePath property during export handling. Given that the ability to deliver the malicious export is sufficient for exploitation, the vulnerability is highly exploitable with low complexity.

Generated by OpenCVE AI on April 3, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Stackfield Desktop App to version 1.10.2 or later
  • If an update is not immediately possible, stop opening or importing export files from untrusted or unknown sources
  • Verify that any export files originate from trusted parties before use
  • Monitor the file system for unexpected or newly created files that may indicate exploitation

Generated by OpenCVE AI on April 3, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Stackfield Desktop App Path Traversal Leading to Arbitrary File Write

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Stackfield
Stackfield desktop App
Vendors & Products Stackfield
Stackfield desktop App

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal vulnerability in certain decryption functionality when processing the filePath property. A malicious export can write arbitrary content to any path on the victim's filesystem.
References

Subscriptions

Stackfield Desktop App
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T17:45:09.221Z

Reserved: 2026-02-27T00:00:00.000Z

Link: CVE-2026-28373

cve-icon Vulnrichment

Updated: 2026-04-03T17:44:17.071Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T17:16:42.140

Modified: 2026-04-07T13:20:55.200

Link: CVE-2026-28373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:15Z

Weaknesses