Description
Vibe-Trading before 0.1.10 contains a path traversal vulnerability that allows attackers to write files outside the intended memory root directory by supplying a malicious memory_type value containing path traversal sequences through the remember tool. Attackers can manipulate the memory_type parameter in the persistent memory store to cause the application to write arbitrary Markdown files to unintended locations on the filesystem.
Published: 2026-06-30
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vibe‑Trading before version 0.1.10 contains a path traversal vulnerability that enables an attacker to supply a malicious memory_type value through the remember tool. The malformed input causes the application to write Markdown files outside the intended memory root directory. This flaw, identified as CWE‑22, allows an attacker to overwrite or create arbitrary files, potentially leading to data tampering or execution of malicious content. The CVSS score of 6.0 reflects a medium severity due to the potential impact on confidentiality and integrity.

Affected Systems

The vulnerable product is Vibe‑Trading by HKUDS, affecting all releases earlier than 0.1.10. Systems running these versions are susceptible to exploitation unless they have been upgraded to 0.1.10 or later.

Risk and Exploitability

The vulnerability carries a CVSS rating of 6.0, with no EPSS score available and it is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a memory_type string containing traversal sequences; this can be performed remotely if the remember tool’s interface is exposed over a network or locally by any user who can invoke the tool. No additional prerequisites beyond the ability to send the malicious input are stated in the description, so the exploitability is considered moderate to high provided the tool is accessible.

Generated by OpenCVE AI on June 30, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Vibe‑Trading 0.1.10 or later so the path traversal handling is fixed.
  • Restrict access to the remember tool so only trusted local users can invoke it, preventing remote or unauthenticated manipulation.
  • Implement input validation for memory_type to reject or sanitize any path traversal sequences, ensuring writes remain confined to the intended directory.

Generated by OpenCVE AI on June 30, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Vibe-Trading before 0.1.10 contains a path traversal vulnerability that allows attackers to write files outside the intended memory root directory by supplying a malicious memory_type value containing path traversal sequences through the remember tool. Attackers can manipulate the memory_type parameter in the persistent memory store to cause the application to write arbitrary Markdown files to unintended locations on the filesystem.
Title Vibe-Trading < 0.1.10 - Path Traversal via Persistent Memory Type
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T15:55:29.117Z

Reserved: 2026-06-29T16:03:38.522Z

Link: CVE-2026-58173

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:30:15Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')