Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.4
OpenViking: Malicious ZIP files can write to unintended directories
GHSA-rpqr-j937-6qr9
CVE-2026-28518
Summary
Older versions of OpenViking can be tricked into writing files to any location on the system. This could allow an attacker to create or modify sensitive files. Update to the latest version of OpenViking to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openviking | <= 0.2.1 | – |
Original title
OpenViking contains a Path Traversal vulnerability
Original description
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.
ghsa CVSS3.1
7.8
ghsa CVSS4.0
8.4
Vulnerability type
CWE-22
Path Traversal
- https://nvd.nist.gov/vuln/detail/CVE-2026-28518
- https://github.com/volcengine/OpenViking/issues/342
- https://github.com/volcengine/OpenViking/commit/46b3e76e28b9b3eee73693720c9ec488...
- https://www.vulncheck.com/advisories/openviking-ovpack-import-zip-slip-path-trav...
- https://github.com/advisories/GHSA-rpqr-j937-6qr9
Published: 3 Mar 2026 · Updated: 8 Mar 2026 · First seen: 6 Mar 2026