Description
FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API that allows remote attackers to write arbitrary files and achieve remote code execution.
Published: 2026-04-10
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

FalkorDB Browser 1.9.3 contains an unauthenticated path traversal flaw in its file upload API, allowing an attacker to write arbitrary files to the server’s file system and thereby execute code remotely. The vulnerability is a classic example of the "Path Traversal" weakness (CWE‑22). The impact is the complete compromise of confidentiality, integrity, and availability by enabling arbitrary code execution on the host running FalkorDB Browser.

Affected Systems

The flaw affects FalkorDB Browser version 1.9.3, as supplied by FalkorDB. No other versions or additional products were listed, so only installations of this exact version are susceptible.

Risk and Exploitability

With a CVSS score of 9.8 the issue is considered Critical. The EPSS score is below 1%, indicating low expected exploitation frequency, and it is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated HTTP request to the file upload endpoint, exploiting directory traversal to write a malicious file that can then be executed. The requirement for authentication is absent, so any network‑reachable user can trigger the flaw if the API is exposed.

Generated by OpenCVE AI on April 10, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FalkorDB Browser to a patched version (at least 1.9.4).
  • If an immediate upgrade is not possible, restrict the file upload API to authenticated users only and constrain acceptable file paths and types.
  • Continuously monitor upload activity for suspicious patterns and block malicious files, and consult FalkorDB for any forthcoming fixes.

Generated by OpenCVE AI on April 10, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Falkordb
Falkordb falkordb Browser
Vendors & Products Falkordb
Falkordb falkordb Browser

Fri, 10 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Description FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API that allows remote attackers to write arbitrary files and achieve remote code execution.
Title Unauthenticated Path Traversal in FalkorDB Browser Leads to Remote Code Execution
Weaknesses CWE-22
References

Subscriptions

Falkordb Falkordb Browser
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-04-10T20:25:53.551Z

Reserved: 2026-04-10T00:33:01.535Z

Link: CVE-2026-6057

cve-icon Vulnrichment

Updated: 2026-04-10T20:25:10.352Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-10T10:16:04.547

Modified: 2026-04-13T15:02:06.187

Link: CVE-2026-6057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:06:13Z

Weaknesses