CVE-2026-58171

MEDIUM 4.2

Vibe-Trading < 0.1.10 - Path Traversal via Swarm Run Identifier

CVSS Score

4.2

EPSS Score

0.0%

EPSS Percentile

0th

Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in run_dir (agent/src/swarm/store.py). A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary run.json files outside the runs directory and to overwrite existing run.json files at traversed locations.

CWE	CWE-22
Vendor	hkuds
Product	vibe-trading
Published	Jun 30, 2026
Last Updated	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for hkuds vibe-trading

Be the first to know when new medium vulnerabilities affecting hkuds vibe-trading are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Affected Versions

HKUDS / Vibe-Trading

0 < 0.1.10

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/HKUDS/Vibe-Trading/releases/tag/v0.1.10 github.com: https://github.com/HKUDS/Vibe-Trading/pull/258 github.com: https://github.com/HKUDS/Vibe-Trading/commit/f45fd85392f07b5e404e41d4fcb0ef0d6c2f87ab vulncheck.com: https://www.vulncheck.com/advisories/vibe-trading-path-traversal-via-swarm-run-identifier

Credits

Chia Min Jun Lennon