CVE-2026-28518

HIGH 7.8

OpenViking .ovpack Import ZIP Slip Path Traversal

CVSS Score

7.8

EPSS Score

0.0%

EPSS Percentile

0th

OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.

CWE	CWE-22
Vendor	volcengine
Product	openviking
Published	Mar 3, 2026
Last Updated	Mar 31, 2026

Stay Ahead of the Next One

Get instant alerts for volcengine openviking

Be the first to know when new high vulnerabilities affecting volcengine openviking are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Volcengine / OpenViking

0 ≤ 0.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/volcengine/OpenViking/issues/342 github.com: https://github.com/volcengine/OpenViking/commit/46b3e76e28b9b3eee73693720c9ec48820228b72 vulncheck.com: https://www.vulncheck.com/advisories/openviking-ovpack-import-zip-slip-path-traversal

Credits

Chia Min Jun Lennon