CVE-2026-49290 (GCVE-0-2026-49290)
Vulnerability from cvelistv5 – Published: 2026-06-19 17:31 – Updated: 2026-06-22 17:13
VLAI
Title
Slopsmith has path traversal in archive extractors that allows arbitrary file write → potential RCE
Summary
Slopsmith is a self-contained web application for browsing, playing, and practicing Rocksmith 2014 Custom DLC (CDLC). Prior to 0.2.9-alpha.5, a path-traversal vulnerability in Slopsmith's archive extractors allows an attacker to write arbitrary files outside the extraction directory by supplying a crafted PSARC or sloppak archive. With the default Docker configuration (running as root) and the ability to drop a file into the plugin directory, this escalates to arbitrary remote code execution on the host. Three archive extractors concatenated archive-entry filenames directly onto the extraction root without validation: `lib/psarc.py::unpack_psarc` — PSARC TOC filenames; `lib/patcher.py::unpack_psarc` — duplicate of the above in the patcher flow; `lib/sloppak.py::_unpack_zip` — bare `ZipFile.extractall()` with no member filter. Each accepts entry names containing `..` segments, absolute paths, or backslash separators. The Python `zipfile` module's default `extractall()` is documented as not preventing traversal when callers don't supply a member-filter callback. Version 0.2.9-alpha.5 patches the issue. Until updated, do not open PSARC or sloppak archives from untrusted sources, and do not expose the Slopsmith instance to the public internet. Docker users should also pull the latest image after the next slopsmith Docker image is published.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://web.archive.org/web/20260522065709/https:… | x_refsource_CONFIRM |
| https://github.com/byrongamatos/slopsmith/securit… | x_refsource_MISC |
| https://github.com/byrongamatos/slopsmith/commit/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| byrongamatos | slopsmith |
Affected:
< 0.2.9-alpha.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T17:04:05.730204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T17:13:29.288Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "slopsmith",
"vendor": "byrongamatos",
"versions": [
{
"status": "affected",
"version": "\u003c 0.2.9-alpha.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Slopsmith is a self-contained web application for browsing, playing, and practicing Rocksmith 2014 Custom DLC (CDLC). Prior to 0.2.9-alpha.5, a path-traversal vulnerability in Slopsmith\u0027s archive extractors allows an attacker to write arbitrary files outside the extraction directory by supplying a crafted PSARC or sloppak archive. With the default Docker configuration (running as root) and the ability to drop a file into the plugin directory, this escalates to arbitrary remote code execution on the host. Three archive extractors concatenated archive-entry filenames directly onto the extraction root without validation: `lib/psarc.py::unpack_psarc` \u2014 PSARC TOC filenames; `lib/patcher.py::unpack_psarc` \u2014 duplicate of the above in the patcher flow; `lib/sloppak.py::_unpack_zip` \u2014 bare `ZipFile.extractall()` with no member filter. Each accepts entry names containing `..` segments, absolute paths, or backslash separators. The Python `zipfile` module\u0027s default `extractall()` is documented as not preventing traversal when callers don\u0027t supply a member-filter callback. Version 0.2.9-alpha.5 patches the issue. Until updated, do not open PSARC or sloppak archives from untrusted sources, and do not expose the Slopsmith instance to the public internet. Docker users should also pull the latest image after the next slopsmith Docker image is published."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-36",
"description": "CWE-36: Absolute Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T17:31:05.659Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://web.archive.org/web/20260522065709/https://github.com/byrongamatos/slopsmith",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://web.archive.org/web/20260522065709/https://github.com/byrongamatos/slopsmith"
},
{
"name": "https://github.com/byrongamatos/slopsmith/security/advisories/GHSA-8wr9-348x-xwmr",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/byrongamatos/slopsmith/security/advisories/GHSA-8wr9-348x-xwmr"
},
{
"name": "https://github.com/byrongamatos/slopsmith/commit/9cccac12a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/byrongamatos/slopsmith/commit/9cccac12a"
},
{
"name": "https://web.archive.org/web/20260522065709/https://github.com/byrongamatos/slopsmith",
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20260522065709/https://github.com/byrongamatos/slopsmith"
}
],
"source": {
"advisory": "GHSA-8wr9-348x-xwmr",
"discovery": "UNKNOWN"
},
"title": "Slopsmith has path traversal in archive extractors that allows arbitrary file write \u2192 potential RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49290",
"datePublished": "2026-06-19T17:31:05.659Z",
"dateReserved": "2026-05-28T20:07:58.862Z",
"dateUpdated": "2026-06-22T17:13:29.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-49290",
"date": "2026-06-27",
"epss": "0.00568",
"percentile": "0.42802"
},
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Slopsmith has path traversal in archive extractors that allows arbitrary file write \\u2192 potential RCE\", \"source\": {\"advisory\": \"GHSA-8wr9-348x-xwmr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"byrongamatos\", \"product\": \"slopsmith\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.2.9-alpha.5\"}]}], \"references\": [{\"url\": \"https://web.archive.org/web/20260522065709/https://github.com/byrongamatos/slopsmith\", \"name\": \"https://web.archive.org/web/20260522065709/https://github.com/byrongamatos/slopsmith\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/byrongamatos/slopsmith/security/advisories/GHSA-8wr9-348x-xwmr\", \"name\": \"https://github.com/byrongamatos/slopsmith/security/advisories/GHSA-8wr9-348x-xwmr\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/byrongamatos/slopsmith/commit/9cccac12a\", \"name\": \"https://github.com/byrongamatos/slopsmith/commit/9cccac12a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://web.archive.org/web/20260522065709/https://github.com/byrongamatos/slopsmith\", \"name\": \"https://web.archive.org/web/20260522065709/https://github.com/byrongamatos/slopsmith\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Slopsmith is a self-contained web application for browsing, playing, and practicing Rocksmith 2014 Custom DLC (CDLC). Prior to 0.2.9-alpha.5, a path-traversal vulnerability in Slopsmith\u0027s archive extractors allows an attacker to write arbitrary files outside the extraction directory by supplying a crafted PSARC or sloppak archive. With the default Docker configuration (running as root) and the ability to drop a file into the plugin directory, this escalates to arbitrary remote code execution on the host. Three archive extractors concatenated archive-entry filenames directly onto the extraction root without validation: `lib/psarc.py::unpack_psarc` \\u2014 PSARC TOC filenames; `lib/patcher.py::unpack_psarc` \\u2014 duplicate of the above in the patcher flow; `lib/sloppak.py::_unpack_zip` \\u2014 bare `ZipFile.extractall()` with no member filter. Each accepts entry names containing `..` segments, absolute paths, or backslash separators. The Python `zipfile` module\u0027s default `extractall()` is documented as not preventing traversal when callers don\u0027t supply a member-filter callback. Version 0.2.9-alpha.5 patches the issue. Until updated, do not open PSARC or sloppak archives from untrusted sources, and do not expose the Slopsmith instance to the public internet. Docker users should also pull the latest image after the next slopsmith Docker image is published.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-23\", \"description\": \"CWE-23: Relative Path Traversal\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-36\", \"description\": \"CWE-36: Absolute Path Traversal\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-19T17:31:05.659Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-49290\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-22T17:04:05.730204Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-06-22T17:05:41.150Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-49290\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-19T17:31:05.659Z\", \"dateReserved\": \"2026-05-28T20:07:58.862Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-19T17:31:05.659Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…