Description
An issue in Zhoros SuperBin v1.0.0 allows attackers to execute a directory traversal via supplying files with names containing traversal characters.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An issue in Zhoros SuperBin version 1.0.0 permits attackers to inject path traversal characters in file names during an operation that saves or handles files. This flaw allows the attacker to reference directories outside the intended scope, potentially reading or writing sensitive files on the target system as the program’s user. The weakness is classified as CWE‑22, indicating an improper limitation on a pathname. The resulting impact is the unauthorized disclosure, modification, or deletion of files that should otherwise be protected.

Affected Systems

The affected product is Zhoros SuperBin, specifically the 1.0.0 release. Vendor details are not publicly identified in the CVE advisory. No other product versions are noted as affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score of less than 1% shows a very low probability that this flaw is actively exploited in the wild at this time, and the flaw is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves an attacker sending a specially crafted file name to the application’s file handling component; the vulnerability would be exploitable if the application accepts arbitrary file names without sanitization and writes them to the file system. The exploit requires the application to be running on the target host and the attacker to have access to the file upload or naming input surface, but no elevated privileges are necessary if the application runs with sufficient rights to the destination directories. Once the path traversal is achieved, the attacker can read or modify any file within the application’s filesystem context, which could lead to credential leakage or arbitrary code execution if configuration files are altered.

Generated by OpenCVE AI on June 17, 2026 at 23:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch for Zhoros SuperBin 1.0.0 that removes the path traversal flaw before using the application
  • Implement strict input validation for any user‑supplied file names, rejecting any that contain traversal sequences such as '../' or absolute paths
  • Enforce a dedicated safe directory for file writes and validate that the resulting path resolves within that directory

Generated by OpenCVE AI on June 17, 2026 at 23:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Zhoros
Zhoros superbin
Vendors & Products Zhoros
Zhoros superbin

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Directory Traversal Vulnerability in Zhoros SuperBin 1.0.0 Allows Arbitrary File Access

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description An issue in Zhoros SuperBin v1.0.0 allows attackers to execute a directory traversal via supplying files with names containing traversal characters.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T13:07:40.911Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50877

cve-icon Vulnrichment

Updated: 2026-06-16T13:07:28.387Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:30.617

Modified: 2026-06-16T15:50:58.757

Link: CVE-2026-50877

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T09:35:51Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')