GHSA-3558-J79F-VVM6
Vulnerability from github – Published: 2026-01-13 19:15 – Updated: 2026-01-13 19:15Impact
Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory.
Path traversal vulnerabilities occur when a web application accepts user-supplied file paths without proper validation, allowing attackers to access or write files outside the intended directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../).
Notably, while the related makeFileContent function in the same file properly validates the fileName parameter by checking for .. sequences, the MakeFile function lacks this security control, indicating an inconsistent security implementation.
An attacker with file upload privileges (role ID 888 - super administrator) could exploit this vulnerability by:
First uploading file chunks through the /fileUploadAndDownload/breakpointContinue endpoint (which has proper validation)
Then calling the /fileUploadAndDownload/breakpointContinueFinish endpoint with a malicious fileName parameter containing path traversal sequences (e.g., ../../../tmp/malicious.txt)
This could lead to: Arbitrary file creation, application process, Configuration file overwriting, Potential Remote Code Execution......
POC
-
Use this endpoint to upload any files(include name or file types)
-
Then, the
filenameparameter here uses../to traverse to an arbitrary path. -
Proof
Patches
Please wait for the latest patch
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/flipped-aurora/gin-vue-admin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.8.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22786"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-434"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-13T19:15:13Z",
"nvd_published_at": "2026-01-12T22:16:08Z",
"severity": "HIGH"
},
"details": "### Impact\nGin-vue-admin \u003c= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory.\n\nPath traversal vulnerabilities occur when a web application accepts user-supplied file paths without proper validation, allowing attackers to access or write files outside the intended directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../).\n\nNotably, while the related makeFileContent function in the same file properly validates the fileName parameter by checking for .. sequences, the MakeFile function lacks this security control, indicating an inconsistent security implementation.\n\nAn **attacker with file upload privileges (role ID 888 - super administrator)** could exploit this vulnerability by:\n\nFirst uploading file chunks through the /fileUploadAndDownload/breakpointContinue endpoint (which has proper validation)\n\nThen calling the /fileUploadAndDownload/breakpointContinueFinish endpoint with a malicious fileName parameter containing path traversal sequences (e.g., ../../../tmp/malicious.txt)\n\nThis could lead to:\nArbitrary file creation, application process, Configuration file overwriting, Potential Remote Code Execution......\n\n### POC\n1. Use this endpoint to upload any files(include *name or *file types)\n\u003cimg width=\"1429\" height=\"788\" alt=\"Clipboard_Screenshot_1767755216\" src=\"https://github.com/user-attachments/assets/516022d6-32af-4810-abd9-945cb0bc5ae5\" /\u003e\n\n2. Then, the `filename` parameter here uses `../` to traverse to an arbitrary path. \n\u003cimg width=\"1445\" height=\"306\" alt=\"Clipboard_Screenshot_1767755256\" src=\"https://github.com/user-attachments/assets/577aa1c1-9b26-4082-b431-f9dac1cdc307\" /\u003e\n\n3. Proof\n\u003cimg width=\"837\" height=\"843\" alt=\"Clipboard_Screenshot_1767755312\" src=\"https://github.com/user-attachments/assets/66f51049-8dc8-4c94-994e-a6d8bc1196a9\" /\u003e\n\n\n### Patches\nPlease wait for the latest patch",
"id": "GHSA-3558-j79f-vvm6",
"modified": "2026-01-13T19:15:13Z",
"published": "2026-01-13T19:15:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-3558-j79f-vvm6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22786"
},
{
"type": "WEB",
"url": "https://github.com/flipped-aurora/gin-vue-admin/commit/2242f5d6e133e96d1b359ac019bf54fa0e975dd5"
},
{
"type": "PACKAGE",
"url": "https://github.com/flipped-aurora/gin-vue-admin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Gin-vue-admin has arbitrary file upload vulnerability caused by path traversal"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.