Description
Pode is a Cross-Platform PowerShell web framework for creating REST APIs, Web Sites, and TCP/SMTP servers. From 2.4.0, to before 2.13.0, when requesting content from a Static Route, it was possible to request paths such as http://localhost:8080/c:/Windows/System32/drivers/etc/hosts and have the contents returned. This vulnerability is fixed in 2.13.0.
Published: 2026-05-14
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

From version 2.4.0 up to, but not including, 2.13.0, the Pode framework’s static route handling allowed an attacker to request arbitrary filesystem paths in the URL. By supplying paths such as \/c:\\Windows\\System32\\drivers\\etc\\hosts, the application responded with the file’s contents. This flaw provides confidential disclosure of any file readable by the server process, potentially exposing system configuration, credentials, or code. The weakness corresponds to CWE‑22: Path Traversal.

Affected Systems

The affected product is Badgerati’s Pode, a cross‑platform PowerShell web framework. Versions from 2.4.0 through all releases prior to 2.13.0 are vulnerable. Later releases (2.13.0 and beyond) contain the fix.

Risk and Exploitability

The CVSS score of 6.9 classifies the flaw as moderate severity. While the EPSS score is not available, the maintenance status of the product and the direct ability to read arbitrary files over HTTP mean that exploitation is likely practical. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is remote over the network; an unauthenticated client can craft a URL to the static route and retrieve any file the server process can read.

Generated by OpenCVE AI on May 14, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pode to version 2.13.0 or later, which removes the directory traversal capability
  • If an upgrade is not immediately possible, restrict static route access to a specific directory tree and reject paths containing '..' or absolute slashes
  • Limit exposure of Pode’s HTTP endpoint to trusted networks or protect it behind a firewall or reverse proxy

Generated by OpenCVE AI on May 14, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Badgerati
Badgerati pode
Vendors & Products Badgerati
Badgerati pode

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description Pode is a Cross-Platform PowerShell web framework for creating REST APIs, Web Sites, and TCP/SMTP servers. From 2.4.0, to before 2.13.0, when requesting content from a Static Route, it was possible to request paths such as http://localhost:8080/c:/Windows/System32/drivers/etc/hosts and have the contents returned. This vulnerability is fixed in 2.13.0.
Title Pode: Directory Traversal is possible on Static Routes
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Badgerati Pode
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:40:09.876Z

Reserved: 2026-04-29T00:31:15.725Z

Link: CVE-2026-42598

cve-icon Vulnrichment

Updated: 2026-05-14T18:40:03.705Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T18:16:48.313

Modified: 2026-05-14T18:27:25.110

Link: CVE-2026-42598

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:09:04Z

Weaknesses