CVE-2026-49233

UNKNOWN 0.0

Routinator cache path traversal using rogue rsync URIs

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.

CWE	CWE-22
Vendor	nlnet labs
Product	routinator
Published	Jun 8, 2026
Last Updated	Jun 8, 2026

Stay Ahead of the Next One

Get instant alerts for nlnet labs routinator

Be the first to know when new unknown vulnerabilities affecting nlnet labs routinator are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

NLnet Labs / Routinator

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

nlnetlabs.nl: https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49233.txt

Credits

X41 D-Sec GmbH