CVE-2026-3051
Published: 24 February 2026
Summary
CVE-2026-3051 is a medium-severity Path Traversal (CWE-22) vulnerability in Dinky Dinky. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-3051 is a path traversal vulnerability (CWE-22) affecting DataLinkDC dinky versions up to 1.2.5. The issue resides in the getProjectDir function within the file dinky-admin/src/main/java/org/dinky/utils/GitRepository.java, part of the Project Name Handler component. By manipulating the projectName argument, an attacker can traverse directories, potentially accessing or modifying files outside the intended scope. The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility and low privilege requirements.
The attack can be performed remotely by an authenticated user with low privileges (PR:L), requiring no user interaction. Successful exploitation allows limited impacts: low-level disclosure of sensitive information (C:L), modification of data or configuration (I:L), and denial of service through file disruption (A:L). No elevated privileges or scope changes are involved.
Advisories from VulDB and a GitHub repository (AnalogyC0de/public_exp) detail the issue but report no vendor response despite early contact. No patches or official mitigations are available, and the exploit has been publicly disclosed, increasing the risk of active use.
In notable context, the public disclosure via GitHub issues heightens exploitation potential, though no evidence of widespread real-world attacks is documented.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7443
Vulnerability details
A vulnerability has been found in DataLinkDC dinky up to 1.2.5. The affected element is the function getProjectDir of the file dinky-admin/src/main/java/org/dinky/utils/GitRepository.java of the component Project Name Handler. Such manipulation of the argument projectName leads to path traversal. The attack…
more
may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in getProjectDir directly enables reading arbitrary files (T1005 Data from Local System, T1083 File and Directory Discovery) and modifying files outside intended scope (T1565.001 Stored Data Manipulation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Rejects or sanitizes the untrusted projectName argument before it reaches getProjectDir, directly blocking the ../ sequences that enable path traversal.
Enforces the intended file-system access policy so that even an authenticated user cannot read or write outside the designated project directory.
Monitors for anomalous file-system operations or directory traversal patterns originating from the Project Name Handler.