CVE-2026-58192
Appium: Unauthenticated arbitrary file/directory deletion in @appium/storage-plugin
CVSS Score
8.6
EPSS Score
0.3%
EPSS Percentile
27th
Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.join(storageRoot, name) and fs.rimraf() without path sanitization, allowing an unauthenticated remote client to escape the storage root with ../ sequences and recursively delete arbitrary writable files or directories. This issue is fixed in version 1.1.6.
| CWE | CWE-22 CWE-73 |
| Vendor | appium |
| Product | appium |
| Published | Jul 8, 2026 |
| Last Updated | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for appium appium
Be the first to know when new high vulnerabilities affecting appium appium are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None
Affected Versions
appium / appium
< 1.1.6
References
github.com: https://github.com/appium/appium/security/advisories/GHSA-jwgx-mp9m-jwcr github.com: https://github.com/appium/appium/pull/22362 github.com: https://github.com/appium/appium/commit/5fee01752f2782e96fbe64fd13520b433d4a7535 github.com: https://github.com/appium/appium/releases/tag/%40appium/storage-plugin%401.1.6