Description
A vulnerability was identified in continuedev continue up to 1.2.22. This affects the function lsTool of the file core/tools/implementations/lsTool.ts of the component JSON-RPC Server. Such manipulation of the argument dirPath leads to path traversal. An attack has to be approached locally. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is in the lsTool function of the JSON‑RPC Server component of continuedev continue. By manipulating the dirPath argument, an attacker who can execute the JSON‑RPC interface locally can traverse directories outside the intended workspace. This path traversal could potentially allow access to files beyond the intended scope, but the CVE description does not explicitly state the extent of the impact. The weakness falls under CWE‑22.

Affected Systems

Vulnerable versions of continuedev's continue package are those up to and including 1.2.22. Users running continue 1.2.22 or earlier are affected; newer releases are not enumerated as impacted.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, and the vulnerability requires local access, limiting exploitation to users who can reach the machine or the JSON‑RPC endpoint. No EPSS data is available, suggesting the exploit probability is uncertain, and the vulnerability is not listed in the CISA KEV catalog. The exploit is publicly available, which elevates the practical risk for environments where the JSON‑RPC service is exposed to untrusted users.

Generated by OpenCVE AI on May 18, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade continuedev continue to a version newer than 1.2.22 once released by the vendor.
  • If an upgrade is not possible, restrict access to the JSON‑RPC service so that only trusted, privileged users can invoke lsTool, and consider disabling the lsTool endpoint if it is not required.
  • Implement input validation to ensure that dirPath does not contain path‑traversal sequences such as ".." and that it is resolved against a predefined base directory before processing.

Generated by OpenCVE AI on May 18, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 23:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in continuedev continue up to 1.2.22. This affects the function lsTool of the file core/tools/implementations/lsTool.ts of the component JSON-RPC Server. Such manipulation of the argument dirPath leads to path traversal. An attack has to be approached locally. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title continuedev continue JSON-RPC Server lsTool.ts lsTool path traversal
First Time appeared Continuedev
Continuedev continue
Weaknesses CWE-22
CPEs cpe:2.3:a:continuedev:continue:*:*:*:*:*:*:*:*
Vendors & Products Continuedev
Continuedev continue
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Continuedev Continue
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T23:15:15.257Z

Reserved: 2026-05-17T09:30:17.576Z

Link: CVE-2026-8770

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T00:16:37.343

Modified: 2026-05-18T00:16:37.343

Link: CVE-2026-8770

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T01:00:06Z

Weaknesses