PYSEC-2026-2393
Vulnerability from pysec - Published: 2026-07-13 15:46 - Updated: 2026-07-13 16:03
VLAI
Details
The postman_download module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker to write arbitrary files to the user's system.
Severity
6.5 (Medium)
Impacted products
| Name | purl | bbot | pkg:pypi/bbot |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "bbot",
"purl": "pkg:pypi/bbot"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.8.6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.1.0",
"2.1.0.4809rc0",
"2.1.0.4813rc0",
"2.1.0.4815rc0",
"2.1.0.4817rc0",
"2.1.0.4819rc0",
"2.1.0.4921rc0",
"2.1.0.4929rc0",
"2.1.0.4935rc0",
"2.1.0.4937rc0",
"2.1.0.4939rc0",
"2.1.0.4951rc0",
"2.1.0.4954rc0",
"2.1.0.4957rc0",
"2.1.0.4959rc0",
"2.1.0.4971rc0",
"2.1.0.4978rc0",
"2.1.0.4980rc0",
"2.1.0.4984rc0",
"2.1.0.4992rc0",
"2.1.0.4995rc0",
"2.1.0.4999rc0",
"2.1.0.5001rc0",
"2.1.0.5004rc0",
"2.1.0.5021rc0",
"2.1.0.5028rc0",
"2.1.0.5036rc0",
"2.1.0.5040rc0",
"2.1.0.5078rc0",
"2.1.0.5082rc0",
"2.1.0.5097rc0",
"2.1.1",
"2.1.1.5103rc0",
"2.1.1.5119rc0",
"2.1.1.5121rc0",
"2.1.1.5123rc0",
"2.1.1.5125rc0",
"2.1.1.5127rc0",
"2.1.1.5138rc0",
"2.1.2",
"2.1.2.5140rc0",
"2.1.2.5147rc0",
"2.1.2.5149rc0",
"2.1.2.5152rc0",
"2.1.2.5154rc0",
"2.1.2.5156rc0",
"2.1.2.5158rc0",
"2.1.2.5161rc0",
"2.1.2.5171rc0",
"2.1.2.5173rc0",
"2.1.2.5175rc0",
"2.1.2.5180rc0",
"2.1.2.5182rc0",
"2.1.2.5184rc0",
"2.1.2.5192rc0",
"2.1.2.5196rc0",
"2.1.2.5202rc0",
"2.1.2.5217rc0",
"2.1.2.5221rc0",
"2.1.2.5223rc0",
"2.1.2.5232rc0",
"2.1.2.5234rc0",
"2.1.2.5236rc0",
"2.1.2.5238rc0",
"2.1.2.5240rc0",
"2.2.0",
"2.2.0.5242rc0",
"2.2.0.5263rc0",
"2.2.0.5279rc0",
"2.2.0.5309rc0",
"2.2.0.5311rc0",
"2.3.0.5324rc0",
"2.3.0.5328rc0",
"2.3.0.5336rc0",
"2.3.0.5354rc0",
"2.3.0.5362rc0",
"2.3.0.5364rc0",
"2.3.0.5368rc0",
"2.3.0.5370rc0",
"2.3.0.5376rc0",
"2.3.0.5382rc0",
"2.3.0.5384rc0",
"2.3.0.5397rc0",
"2.3.0.5399rc0",
"2.3.0.5401rc0",
"2.3.0.5404rc0",
"2.3.0.5412rc0",
"2.3.0.5414rc0",
"2.3.0.5418rc0",
"2.3.0.5423rc0",
"2.3.0.5438rc0",
"2.3.0.5445rc0",
"2.3.0.5447rc0",
"2.3.0.5455rc0",
"2.3.0.5459rc0",
"2.3.0.5461rc0",
"2.3.0.5465rc0",
"2.3.0.5467rc0",
"2.3.0.5473rc0",
"2.3.0.5477rc0",
"2.3.0.5479rc0",
"2.3.0.5482rc0",
"2.3.0.5484rc0",
"2.3.0.5489rc0",
"2.3.0.5491rc0",
"2.3.0.5504rc0",
"2.3.0.5515rc0",
"2.3.0.5518rc0",
"2.3.0.5520rc0",
"2.3.0.5522rc0",
"2.3.0.5524rc0",
"2.3.0.5532rc0",
"2.3.0.5538rc0",
"2.3.0.5546rc0",
"2.3.0.5809rc0",
"2.3.1",
"2.3.1.5815rc0",
"2.3.1.5818rc0",
"2.3.1.5820rc0",
"2.3.2",
"2.3.2.5825rc0",
"2.3.2.5827rc0",
"2.3.2.5829rc0",
"2.3.2.5832rc0",
"2.3.2.5836rc0",
"2.3.2.5838rc0",
"2.3.2.5841rc0",
"2.3.2.5848rc0",
"2.3.2.5850rc0",
"2.3.2.5855rc0",
"2.3.2.5874rc0",
"2.3.2.5889rc0",
"2.3.2.5893rc0",
"2.3.2.5897rc0",
"2.3.2.5904rc0",
"2.3.2.5906rc0",
"2.3.2.5909rc0",
"2.3.2.5913rc0",
"2.3.2.5915rc0",
"2.3.2.5927rc0",
"2.3.2.5938rc0",
"2.3.2.5942rc0",
"2.3.2.5944rc0",
"2.3.2.5950rc0",
"2.3.2.5958rc0",
"2.3.2.5967rc0",
"2.3.2.5971rc0",
"2.4.0",
"2.4.0.5974rc0",
"2.4.0.5977rc0",
"2.4.0.5984rc0",
"2.4.0.5986rc0",
"2.4.0.5988rc0",
"2.4.0.5992rc0",
"2.4.0.5995rc0",
"2.4.0.5997rc0",
"2.4.0.5999rc0",
"2.4.0.6005rc0",
"2.4.0.6007rc0",
"2.4.0.6031rc0",
"2.4.0.6037rc0",
"2.4.0.6039rc0",
"2.4.0.6045rc0",
"2.4.0.6050rc0",
"2.4.0.6067rc0",
"2.4.0.6073rc0",
"2.4.1",
"2.4.1.6075rc0",
"2.4.1.6077rc0",
"2.4.1.6089rc0",
"2.4.1.6094rc0",
"2.4.1.6095rc0",
"2.4.1.6100rc0",
"2.4.1.6107rc0",
"2.4.2",
"2.4.2.6109rc0",
"2.4.2.6590rc0",
"2.4.2.6596rc0",
"2.4.2.6608rc0",
"2.4.2.6611rc0",
"2.4.2.6615rc0",
"2.4.2.6621rc0",
"2.4.2.6623rc0",
"2.4.2.6635rc0",
"2.4.2.6638rc0",
"2.4.2.6653rc0",
"2.4.2.6655rc0",
"2.4.2.6659rc0",
"2.4.2.6677rc0",
"2.4.2.6706rc0",
"2.5.0",
"2.5.0.6715rc0",
"2.5.0.6719rc0",
"2.5.0.6721rc0",
"2.5.0.6730rc0",
"2.5.0.6734rc0",
"2.5.0.6737rc0",
"2.5.0.6742rc0",
"2.5.0.6747rc0",
"2.5.0.6765rc0",
"2.5.0.6769rc0",
"2.5.0.6773rc0",
"2.5.0.6779rc0",
"2.5.0.6782rc0",
"2.5.0.6790rc0",
"2.5.0.6803rc0",
"2.5.0.6807rc0",
"2.5.0.6817rc0",
"2.5.0.6831rc0",
"2.6.0",
"2.6.0.6840rc0",
"2.6.0.6842rc0",
"2.6.0.6846rc0",
"2.6.0.6851rc0",
"2.6.0.6853rc0",
"2.6.0.6856rc0",
"2.6.0.6871rc0",
"2.6.0.6879rc0",
"2.6.1",
"2.6.1.6901rc0",
"2.6.1.6913rc0",
"2.6.1.6915rc0",
"2.7.0",
"2.7.0.6919rc0",
"2.7.0.6925rc0",
"2.7.0.6930rc0",
"2.7.0.6932rc0",
"2.7.0.6948rc0",
"2.7.0.6962rc0",
"2.7.0.6989rc0",
"2.7.0.6995rc0",
"2.7.0.7002rc0",
"2.7.0.7010rc0",
"2.7.0.7014rc0",
"2.7.0.7023rc0",
"2.7.0.7027rc0",
"2.7.0.7090rc0",
"2.7.0.7092rc0",
"2.7.0.7094rc0",
"2.7.0.7096rc0",
"2.7.0.7098rc0",
"2.7.0.7100rc0",
"2.7.0.7108rc0",
"2.7.0.7112rc0",
"2.7.0.7116rc0",
"2.7.0.7136rc0",
"2.7.1",
"2.7.1.7141rc0",
"2.7.1.7149rc0",
"2.7.1.7151rc0",
"2.7.1.7153rc0",
"2.7.1.7159rc0",
"2.7.1.7167rc0",
"2.7.1.7169rc0",
"2.7.1.7175rc0",
"2.7.1.7198rc0",
"2.7.1.7202rc0",
"2.7.1.7207rc0",
"2.7.1.7212rc0",
"2.7.2",
"2.7.2.7226rc0",
"2.7.2.7236rc0",
"2.7.2.7238rc0",
"2.7.2.7244rc0",
"2.7.2.7254rc0",
"2.7.2.7256rc0",
"2.7.2.7269rc0",
"2.7.2.7271rc0",
"2.7.2.7278rc0",
"2.7.2.7284rc0",
"2.7.2.7286rc0",
"2.7.2.7288rc0",
"2.7.2.7298rc0",
"2.7.2.7303rc0",
"2.7.2.7311rc0",
"2.7.2.7319rc0",
"2.7.2.7324rc0",
"2.7.2.7334rc0",
"2.7.2.7337rc0",
"2.7.2.7342rc0",
"2.7.2.7353rc0",
"2.7.2.7355rc0",
"2.7.2.7361rc0",
"2.7.2.7364rc0",
"2.7.2.7367rc0",
"2.7.2.7369rc0",
"2.7.2.7379rc0",
"2.7.2.7381rc0",
"2.7.2.7383rc0",
"2.7.2.7388rc0",
"2.7.2.7396rc0",
"2.7.2.7400rc0",
"2.7.2.7406rc0",
"2.7.2.7410rc0",
"2.7.2.7412rc0",
"2.7.2.7414rc0",
"2.7.2.7418rc0",
"2.7.2.7424rc0",
"2.7.2.7426rc0",
"2.7.2.7428rc0",
"2.7.2.7439rc0",
"2.8.0",
"2.8.0.7448rc0",
"2.8.0.7450rc0",
"2.8.0.7452rc0",
"2.8.0.7459rc0",
"2.8.1",
"2.8.1.7464rc0",
"2.8.1.7470rc0",
"2.8.1.7477rc0",
"2.8.2",
"2.8.2.7481rc0",
"2.8.2.7483rc0",
"2.8.2.7485rc0",
"2.8.2.7495rc0",
"2.8.2.7498rc0",
"2.8.2.7503rc0",
"2.8.2.7505rc0",
"2.8.2.7508rc0",
"2.8.2.7516rc0",
"2.8.3",
"2.8.3.7522rc0",
"2.8.3.7533rc0",
"2.8.3.7535rc0",
"2.8.3.7546rc0",
"2.8.3.7550rc0",
"2.8.3.7553rc0",
"2.8.3.7555rc0",
"2.8.4",
"2.8.4.7557rc0",
"2.8.4.7559rc0",
"2.8.4.7575rc0",
"2.8.4.7578rc0",
"2.8.5"
]
}
],
"aliases": [
"CVE-2026-12568",
"GHSA-m54h-vhf9-3w3m"
],
"details": "The `postman_download` module uses the workspace `name` field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker to write arbitrary files to the user\u0027s system.",
"id": "PYSEC-2026-2393",
"modified": "2026-07-13T16:03:36.176232Z",
"published": "2026-07-13T15:46:20.695226Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/blacklanternsecurity/bbot/security/advisories/GHSA-m54h-vhf9-3w3m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12568"
},
{
"type": "WEB",
"url": "https://github.com/blacklanternsecurity/bbot/commit/36bc20818"
},
{
"type": "PACKAGE",
"url": "https://github.com/blacklanternsecurity/bbot"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/bbot"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-m54h-vhf9-3w3m"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "BBOT: Arbitrary File Write in postman_download Module"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…