Cyber Resilience

CVE-2026-28518

HighPublic PoC

Published: 03 March 2026

Published
03 March 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v4 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0018 7.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28518 is a high-severity Path Traversal (CWE-22) vulnerability in Volcengine Openviking. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28518 is a path traversal vulnerability (CWE-22) affecting OpenViking versions 0.2.1 and prior, specifically in the handling of .ovpack file imports. The flaw enables attackers to write files outside the intended import directory by crafting malicious ZIP archives that include path traversal sequences, absolute paths, or drive prefixes in member names. This allows overwriting or creating arbitrary files with the privileges of the importing process. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-03-03.

An attacker with local access can exploit this vulnerability without privileges by tricking a user into importing a malicious .ovpack ZIP archive, as user interaction is required. Successful exploitation grants the ability to overwrite or create arbitrary files on the system, potentially leading to high-impact confidentiality, integrity, and availability compromises depending on the targeted files and process privileges.

The vulnerability is fixed in OpenViking commit 46b3e76e28b9b3eee73693720c9ec48820228b72. Advisories from VulnCheck detail the Zip Slip-style path traversal in .ovpack import handling, while GitHub issues #342 provide additional context on the discovery and resolution. Security practitioners should update to the patched commit and validate ZIP archives during imports to mitigate risks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute…

more

paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

The vulnerability is triggered by a user importing a crafted malicious .ovpack archive (ZIP), directly mapping to user execution of a malicious file; the path traversal primitive then enables arbitrary file write/overwrite for follow-on impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40525Same product: Volcengine Openviking
CVE-2025-11002Shared CWE-22
CVE-2026-35204Shared CWE-22
CVE-2025-69621Shared CWE-22
CVE-2026-39307Shared CWE-22
CVE-2026-27704Shared CWE-22
CVE-2026-5656Shared CWE-22
CVE-2026-30853Shared CWE-22
CVE-2026-44340Shared CWE-22
CVE-2026-22661Shared CWE-22

Affected Assets

volcengine
openviking
≤ 0.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of ZIP archive member names and paths during .ovpack imports to block traversal sequences, absolute paths, and drive prefixes.

prevent

Mandates timely installation of patches, such as the fix in commit 46b3e76, to remediate the path traversal flaw in OpenViking import handling.

prevent

Limits the importing process to least privilege, reducing the impact of arbitrary file writes outside the intended directory.

References