CVE-2026-7271 - Vulnerability Details

- DV0x creative-ad-agent creative-ad-agent-server sdk-server.ts path traversal

Description

A vulnerability was detected in DV0x creative-ad-agent up to 751b9e5146604dc65049bd0f62dcbdad6212f8a3. Impacted is an unknown function of the file server/sdk-server.ts of the component creative-ad-agent-server. Performing a manipulation of the argument req.params results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The patch is named 3d255865a957f3740b8724dd914502c0f44d4970. Applying a patch is the recommended action to fix this issue.

Published: 2026-04-28

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The CVE identifies a path traversal vulnerability in server/sdk-server.ts of the DV0x creative‑ad‑agent component. By manipulating the req.params argument, an attacker can navigate outside the intended directory structure. Classified under CWE‑22, this flaw permits reading arbitrary files and may facilitate remote exploitation, as the exploit is public and can be used.

Affected Systems

The affected product is DV0x creative‑ad‑agent, versions up to commit 751b9e5146604dc65049bd0f62dcbdad6212f8a3. The project follows a rolling‑release delivery model, so exact version numbers are not supplied. The security patch corresponding to commit 3d255865a957f3740b8724dd914502c0f44d4970 has been released and should be applied to all deployments that have not yet incorporated this change.

Risk and Exploitability

The vulnerability has a medium CVSS score of 6.9, and its EPSS score is not available, but the presence of a publicly available exploit indicates real‑world risk. The attack vector is remote: an attacker can trigger the traversal via any externally reachable API endpoint that accepts req.params. Because the fix is simple and official, applying the patch is the most effective mitigation, and the vulnerability remains unlisted in CISA’s KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

DV0x

creative-ad-agent

affected

Version	Status	Constraints
`751b9e5146604dc65049bd0f62dcbdad6212f8a3`	affected	—

No data.

Vendor Product Confidence Versions

Dv0x

Creative-ad-agent

100%

Version	Status	Scheme	Platform
`751b9e5146604dc65049bd0f62dcbdad6212f8a3`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the patch commit 3d255865a957f3740b8724dd914502c0f44d4970 to the creative‑ad‑agent codebase
If the patch cannot be applied immediately, restrict external network access to the creative‑ad‑agent server and whitelist specific IP ranges to limit attacker exposure
Implement input validation on req.params to enforce allowed path patterns and reject any request containing directory traversal sequences such as ".." or "%2e%2e"

Generated by OpenCVE AI on April 28, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00064.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/DV0x/creative-ad-agent/
https://github.com/DV0x/creative-ad-agent/commit/3d255865a957f3740b8724dd914502c0f44d4970
https://github.com/DV0x/creative-ad-agent/issues/1
https://vuldb.com/submit/802887
https://vuldb.com/vuln/359926
https://vuldb.com/vuln/359926/cti

History

Wed, 29 Apr 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dv0x Dv0x creative-ad-agent
Vendors & Products		Dv0x Dv0x creative-ad-agent

Tue, 28 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in DV0x creative-ad-agent up to 751b9e5146604dc65049bd0f62dcbdad6212f8a3. Impacted is an unknown function of the file server/sdk-server.ts of the component creative-ad-agent-server. Performing a manipulation of the argument req.params results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The patch is named 3d255865a957f3740b8724dd914502c0f44d4970. Applying a patch is the recommended action to fix this issue.
Title		DV0x creative-ad-agent creative-ad-agent-server sdk-server.ts path traversal
Weaknesses		CWE-22
References		https://github.com/DV0x/creative-ad-agent/ https://github.com/DV0x/creative-ad-agent/commit/3d255865a957f3740b8724dd914502c0f44d4970 https://github.com/DV0x/creative-ad-agent/issues/1 https://vuldb.com/submit/802887 https://vuldb.com/vuln/359926 https://vuldb.com/vuln/359926/cti
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Dv0x Creative-ad-agent

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-28T12:15:13.901Z

Updated: 2026-04-29T15:10:33.333Z

Reserved: 2026-04-28T05:41:16.875Z

Link: CVE-2026-7271

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-04-28T13:19:24.547

Modified: 2026-04-28T20:31:00.800

Link: CVE-2026-7271

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T10:10:49Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object