Cyber Resilience

CVE-2026-2818

HighUpdated

Published: 20 February 2026

Published
20 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
EPSS Score 0.0025 15.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2818 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Herodevs (inferred from references). Its CVSS base score is 8.2 (High).

Operationally, ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2818, published on 2026-02-20, is a zip-slip path traversal vulnerability (CWE-23) in Spring Data Geode's import snapshot functionality. It enables attackers to write files outside the intended extraction directory and is susceptible only on Windows operating systems. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N).

Remote attackers can exploit this vulnerability over the network with low attack complexity and no privileges required, though user interaction is necessary, such as inducing a victim to import a malicious snapshot. Exploitation changes the scope and allows high integrity impact through arbitrary file writes outside the extraction directory, alongside low confidentiality impact and no availability disruption.

Mitigation details are available in the advisory at https://www.herodevs.com/vulnerability-directory/cve-2026-2818.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-8361Shared CWE-23
CVE-2026-30345Shared CWE-23
CVE-2026-29778Shared CWE-23
CVE-2025-62878Shared CWE-23
CVE-2025-25130Shared CWE-23
CVE-2026-43616Shared CWE-23
CVE-2026-8073Shared CWE-23
CVE-2026-33733Shared CWE-23
CVE-2026-29101Shared CWE-23
CVE-2025-20059Shared CWE-23

Affected Assets

Herodevs
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation directly addresses and patches the zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality.

prevent

Information input validation requires checking file paths from imported snapshots to block traversal outside the intended extraction directory.

prevent

Least privilege restricts the importing process's write access, limiting damage from arbitrary file writes even if path traversal occurs.

References