CVE-2026-2818
Published: 20 February 2026
Summary
CVE-2026-2818 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Herodevs (inferred from references). Its CVSS base score is 8.2 (High).
Operationally, ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2818, published on 2026-02-20, is a zip-slip path traversal vulnerability (CWE-23) in Spring Data Geode's import snapshot functionality. It enables attackers to write files outside the intended extraction directory and is susceptible only on Windows operating systems. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N).
Remote attackers can exploit this vulnerability over the network with low attack complexity and no privileges required, though user interaction is necessary, such as inducing a victim to import a malicious snapshot. Exploitation changes the scope and allows high integrity impact through arbitrary file writes outside the extraction directory, alongside low confidentiality impact and no availability disruption.
Mitigation details are available in the advisory at https://www.herodevs.com/vulnerability-directory/cve-2026-2818.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8329
Vulnerability details
A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation directly addresses and patches the zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality.
Information input validation requires checking file paths from imported snapshots to block traversal outside the intended extraction directory.
Least privilege restricts the importing process's write access, limiting damage from arbitrary file writes even if path traversal occurs.