Description
A vulnerability has been found in RTGS2017 NagaAgent up to 5.1.0. This issue affects some unknown processing of the file apiserver/routes/extensions.py of the component Skills Endpoint. Such manipulation of the argument Name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-04
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw exposes a path traversal vulnerability in RTGS2017 NagaAgent’s Skills Endpoint, specifically in the extensions.py file. User-controlled input passed through the Name argument is not validated, allowing an attacker to reference files outside the intended directory. This can lead to reading arbitrary files and, depending on file permissions, executing code, raising confidentiality and integrity risks. The weakness is classified as CWE‑22.

Affected Systems

All installations of RTGS2017 NagaAgent through version 5.1.0 are affected, as the vulnerability is present in the Skills Endpoint component of the APIServer. No later versions are known to be patched in the provided data.

Risk and Exploitability

The CVSS score of 6.9 places the issue in the moderate category, and although an EPSS score is not available, the advisory states that the attack is possible remotely. The vulnerability is not listed in CISA’s KEV catalog and no public exploit has been reported, but the path traversal could be leveraged by a malicious actor to exfiltrate data or elevate privileges if the server process has sufficient filesystem access. The overall risk warrants prompt remediation.

Generated by OpenCVE AI on May 5, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RTGS2017 NagaAgent to the latest release that fixes the path traversal bug
  • If an update is unavailable, enforce strict validation on the Name parameter to reject relative paths and traversal sequences
  • Configure the APIServer to run with least privilege and restrict filesystem access to the directories required by the application

Generated by OpenCVE AI on May 5, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 23:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in RTGS2017 NagaAgent up to 5.1.0. This issue affects some unknown processing of the file apiserver/routes/extensions.py of the component Skills Endpoint. Such manipulation of the argument Name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title RTGS2017 NagaAgent Skills Endpoint extensions.py path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T23:30:15.477Z

Reserved: 2026-05-04T16:01:11.138Z

Link: CVE-2026-7784

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T00:16:17.647

Modified: 2026-05-05T00:16:17.647

Link: CVE-2026-7784

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T00:30:11Z

Weaknesses