Cyber Resilience

CVE-2026-22685

High

Published: 10 January 2026

Published
10 January 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0039 31.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22685 is a high-severity Path Traversal (CWE-22) vulnerability in Devtoys Devtoys. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 31.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22685 is a path traversal vulnerability (CWE-22) in DevToys, a desktop application for developers. The flaw affects versions from 2.0.0.0 up to but not including 2.0.9.0, specifically in the extension installation mechanism. When processing NUPKG archive packages for extensions, DevToys does not adequately validate file paths within the archive. This allows malicious packages to include crafted entries, such as ../../…/target-file, enabling the extraction process to write files outside the intended extensions directory and overwrite arbitrary files on the user's system under the privileges of the DevToys process.

An attacker can exploit this vulnerability by providing a malicious NUPKG extension package, which requires no privileges (PR:N) and is accessible over the network (AV:N), but demands user interaction (UI:R) to install. Successful exploitation allows overwriting of arbitrary files, potentially leading to code execution, configuration tampering, or corruption of application or system files, depending on the environment. The CVSS v3.1 base score is 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting high confidentiality, integrity, and availability impacts.

The issue has been addressed in DevToys version 2.0.9.0. Mitigation details are available in the GitHub security advisory (GHSA-ggxr-h6fm-p2qh), the fixing pull request (#1643), and the patch commit (02fb7d46d9c663a4ee6ed968baa6a8810405047f), all at https://github.com/DevToys-app/DevToys. Security practitioners should advise users to update to 2.0.9.0 or later and avoid installing untrusted extensions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

DevToys is a desktop app for developers. In versions from 2.0.0.0 to before 2.0.9.0, a path traversal vulnerability exists in the DevToys extension installation mechanism. When processing extension packages (NUPKG archives), DevToys does not sufficiently validate file paths contained within…

more

the archive. A malicious extension package could include crafted file entries such as ../../…/target-file, causing the extraction process to write files outside the intended extensions directory. This flaw enables an attacker to overwrite arbitrary files on the user’s system with the privileges of the DevToys process. Depending on the environment, this may lead to code execution, configuration tampering, or corruption of application or system files. This issue has been patched in version 2.0.9.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1574 Hijack Execution Flow Stealth
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs.
Why these techniques?

Path traversal during NUPKG extraction enables delivery of malicious file (T1204.002) that overwrites arbitrary files, directly facilitating execution flow hijacking (T1574) for code execution or persistence.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-11002Shared CWE-22
CVE-2026-35204Shared CWE-22
CVE-2025-69621Shared CWE-22
CVE-2026-28518Shared CWE-22
CVE-2026-39307Shared CWE-22
CVE-2026-27704Shared CWE-22
CVE-2026-5656Shared CWE-22
CVE-2026-30853Shared CWE-22
CVE-2026-22661Shared CWE-22
CVE-2026-3223Shared CWE-22

Affected Assets

devtoys
devtoys
2.0.1.0 — 2.0.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal by validating file paths in NUPKG archives before extraction to ensure they stay within the intended directory.

prevent

Enforces access controls to restrict DevToys process writes to authorized directories only, blocking overwrites outside the extensions folder.

prevent

Mitigates exploitation by scanning and restricting installation of untrusted user extensions, reducing exposure to malicious NUPKG packages.

References