{"uuid": "deb4aa08-e3ba-4ce2-8e1e-8bec6509c177", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50877", "type": "seen", "source": "https://gist.github.com/pyuysig/ed896b93637aa6501e5f80def198c626", "content": "# Vulnerability Report: CVE-2026-50877 - SuperBin - Generated ZIP preserves traversal filenames\n\n## Vulnerability Summary\nZhoros SuperBin 1.0.0 contains a directory traversal issue in multi-file ZIP generation. A remote attacker can upload files with crafted traversal filenames that are preserved in the generated ZIP, causing files to be written outside the intended extraction directory when a victim extracts the archive on affected platforms.\n\n## Affected Product\n- **Vendor**: Zhoros\n- **Product**: SuperBin\n- **Version**: 1.0.0\n- **Vulnerable Component**: fileWriters.go, MultipleFileWriter multi-file upload ZIP generation\n\n## Vulnerability Details\n- **Vulnerability Type**: Directory Traversal\n- **Weakness**: CWE-22\n- **Attack Conditions**: Upload multiple files with Windows-style traversal names such as ..\\..\\.git\\hooks\\post-checkout and induce a victim to extract the generated ZIP.\n\n## Report Body\n\n### Summary\nZhoros SuperBin 1.0.0 contains a directory traversal issue in multi-file ZIP generation. A remote attacker can upload files with crafted traversal filenames that are preserved in the generated ZIP, causing files to be written outside the intended extraction directory when a victim extracts the archive on affected platforms.\n\n### Details\nThe ZIP writer preserves attacker-controlled uploaded filenames without normalizing or rejecting traversal components before creating archive entries.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50877.\n3. Confirm the security result: The generated ZIP contains entries with traversal path components. Extraction with vulnerable or permissive tools writes files outside the expected destination.\n\n### Impact\nTraversal file entries in generated ZIP archives can overwrite files during victim-side extraction; in Git working trees on Windows this can be used to plant hook files under some extraction workflows.\n\n## Remediation\nNormalize archive entry names, reject absolute paths and traversal segments, and store uploaded files under safe generated names.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:44.000000Z"}