A path traversal vulnerability exists in the configName parameter of qSnapper before version 1.3.3. The flaw permits a local attacker to supply a path that escapes the intended configuration directory, allowing the attacker to place arbitrary configuration files in snapper’s directory. By doing so, the attacker can trigger a denial of service or, if privileged operations are invoked from these files, potentially elevate privileges to root. This weakness aligns with CWE‑23, a classic path traversal vulnerability that can compromise file confidentiality, integrity, and availability.

Products affected are qSnapper versions released by Presire that are older than 1.3.3. Users running any pre‑1.3.3 build are vulnerable. The vulnerability was identified in the code base that handles the configName argument, so any deployment of qSnapper that accepts user‑specified configuration names without validation is impacted.

Using the available CVSS score of 7.3 the flaw is considered high severity. The EPSS score is not published, and the vulnerability is not listed in the CISA KEV catalog, indicating no known in‑the‑wild exploitation yet. Nonetheless, the local attack requirement means that only users with access to the machine can exploit the flaw, but such local attackers can leverage the path traversal to overwrite configuration files that may lead to denial of service or privilege escalation. The official fix in v1.3.3 removes the uncontrolled path handling; until that update is applied the risk remains.