Cyber Resilience

CVE-2026-22661

HighPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 28.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22661 is a high-severity Path Traversal (CWE-22) vulnerability in Fka Prompts.Chat. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2026-22661 is a path traversal vulnerability (CWE-22) affecting prompts.chat prior to commit 0f8d4c3, specifically in its skill file handling mechanism. The issue stems from inadequate server-side filename validation when processing ZIP archives, allowing attackers to embed path traversal sequences such as "../" in filenames. When these malicious archives are extracted by client-side tools, files can be written outside the intended directory, enabling arbitrary file writes on the victim's system. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), indicating high severity due to its potential for confidentiality and integrity impacts.

Remote, unauthenticated attackers can exploit this vulnerability by crafting and distributing malicious ZIP archives disguised as legitimate skill files. Victims must interact by downloading and extracting the archive, at which point the traversal sequences bypass directory restrictions, allowing files to be written to sensitive locations like shell initialization files (e.g., .bashrc or .profile). Successful exploitation leads to code execution on the client system, as the overwritten files can inject arbitrary commands executed upon user shell sessions.

Mitigation involves updating prompts.chat to commit 0f8d4c3 or later, as detailed in the project's GitHub commit (0f8d4c381abd7b2d7478c9fdee9522149c2d65e5) and pull request #1101, which presumably introduce proper filename sanitization. Additional guidance is available in the VulnCheck advisory on prompts.chat path traversal via skill file handling.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

prompts.chat prior to commit 0f8d4c3 contains a path traversal vulnerability in skill file handling that allows attackers to write arbitrary files to the client system by crafting malicious ZIP archives with unsanitized filenames containing path traversal sequences. Attackers can exploit…

more

missing server-side filename validation to inject path traversal sequences ../ into skill file archives, which when extracted by vulnerable tools writing files outside the intended directory and overwriting shell initialization files to achieve code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1546.004 Unix Shell Configuration Modification Privilege Escalation
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell.
Why these techniques?

Malicious ZIP delivery triggers user extraction (T1204.002); path traversal enables writes to shell init files like .bashrc for execution (T1546.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22663Same product: Fka Prompts.Chat
CVE-2026-22665Same product: Fka Prompts.Chat
CVE-2026-22664Same product: Fka Prompts.Chat
CVE-2026-39973Shared CWE-22
CVE-2025-11002Shared CWE-22
CVE-2026-35204Shared CWE-22
CVE-2025-69621Shared CWE-22
CVE-2026-28518Shared CWE-22
CVE-2026-28403Same vendor: Fka
CVE-2026-28412Same vendor: Fka

Affected Assets

fka
prompts.chat
≤ 2026-03-25

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted input (ZIP filenames) to reject path traversal sequences such as '../' before extraction occurs.

preventdetect

Provides mechanisms to scan, detect, and block malicious archives that attempt arbitrary file writes via crafted skill-file ZIPs.

prevent

Requires integrity verification of files and software to stop unauthorized overwrites of sensitive files (e.g., shell init scripts) resulting from the path traversal.

References