CVE-2026-49136

HIGH 7.5

Banana Slides 0.4.0 Path Traversal via generate_image() in ai_service.py

CVSS Score

7.5

EPSS Score

0.1%

EPSS Percentile

32th

Banana Slides through 0.4.0, patched in commit e8bc490, contains a path traversal vulnerability in the generate_image() function within the AI service backend that allows unauthenticated attackers to read arbitrary image-format files outside the intended uploads directory by exploiting an incomplete path prefix check using os.path.startswith() without a trailing separator. Attackers can supply crafted markdown image references in user-controlled page descriptions that resolve to sibling directories whose names share the uploads folder prefix, bypassing the directory confinement check and causing the application to read files from unintended locations via PIL Image.open().

CWE	CWE-22
Vendor	anionex
Product	banana-slides
Published	Jun 1, 2026
Last Updated	Jun 2, 2026

Stay Ahead of the Next One

Get instant alerts for anionex banana-slides

Be the first to know when new high vulnerabilities affecting anionex banana-slides are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Anionex / banana-slides

0 ≤ 0.4.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Anionex/banana-slides/issues/429 github.com: https://github.com/Anionex/banana-slides/pull/430 github.com: https://github.com/Anionex/banana-slides/commit/e8bc490ec8b4b657e07dc3ab4e94fbedcaade421 vulncheck.com: https://www.vulncheck.com/advisories/banana-slides-path-traversal-via-generate-image-in-ai-service-py

Credits

YU SUN