CVE-2026-46703 - Vulnerability Details

Description

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. This issue has been patched in version 0.9.0.

Published: 2026-06-10

Score: 9.6 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Boxlite, a sandbox service that executes OCI containers, contains a path traversal flaw caused by its lack of validation for absolute symlink entries in tar files. The vulnerability enables an attacker to craft a malicious OCI image that, when loaded, writes arbitrary files to any location on the host system. This file overwrite capability can lead to execution of arbitrary code on the host, compromising confidentiality, integrity, and availability.

Affected Systems

The affected results from Boxlite versions prior to 0.9.0. Users employing older releases of the boxlite package are susceptible when they load OCI images from external registries such as DockerHub.

Risk and Exploitability

The flaw has a CVSS score of 9.6, indicating a high severity. The EPSS score is not available, but the lack of listing in CISA KEV suggests that exploit instances have not yet been observed in the wild. Attackers can simply supply a malicious OCI image, making the vector likely to be a supply‑chain or user‑initiated container launch. Any affected deployment is at serious risk of unauthorized code execution if the vulnerability remains unpatched.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

boxlite-ai

boxlite

affected

Version	Status	Constraints
`< 0.9.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Boxlite to version 0.9.0 or later, which contains a fix for the symlink handling issue.
Verify that OCI images are sourced from trusted registries and have been scanned for symlink abuse before loading them into the sandbox.
If upgrading is not feasible immediately, restrict Boxlite's ability to load arbitrary OCI images or run it in a read‑only mode to prevent file write capability until a patch can be applied.

Generated by OpenCVE AI on June 10, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-f396-4rp4-7v2j	Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/boxlite-ai/boxlite/releases/tag/v0.9.0
https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j

History

Wed, 10 Jun 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. This issue has been patched in version 0.9.0.
Title		BoxLite: Path Traversal Vulnerability in boxlite Leads to Arbitrary File Write on the Host
Weaknesses		CWE-22
References		https://github.com/boxlite-ai/boxlite/releases/tag/v0.9.0 https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-10T22:20:24.569Z

Updated: 2026-06-10T22:20:24.569Z

Reserved: 2026-05-15T23:26:58.309Z

Link: CVE-2026-46703

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-10T23:16:47.893

Modified: 2026-06-10T23:16:47.893

Link: CVE-2026-46703

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T23:30:44Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object