CVE-2026-3051
Published: 24 February 2026
Summary
CVE-2026-3051 is a medium-severity Path Traversal (CWE-22) vulnerability in Dinky Dinky. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in getProjectDir directly enables reading arbitrary files (T1005 Data from Local System, T1083 File and Directory Discovery) and modifying files outside intended scope (T1565.001 Stored Data Manipulation).
NVD Description
A vulnerability has been found in DataLinkDC dinky up to 1.2.5. The affected element is the function getProjectDir of the file dinky-admin/src/main/java/org/dinky/utils/GitRepository.java of the component Project Name Handler. Such manipulation of the argument projectName leads to path traversal. The attack…
more
may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-3051 is a path traversal vulnerability (CWE-22) affecting DataLinkDC dinky versions up to 1.2.5. The issue resides in the getProjectDir function within the file dinky-admin/src/main/java/org/dinky/utils/GitRepository.java, part of the Project Name Handler component. By manipulating the projectName argument, an attacker can traverse directories, potentially accessing or modifying files outside the intended scope. The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility and low privilege requirements.
The attack can be performed remotely by an authenticated user with low privileges (PR:L), requiring no user interaction. Successful exploitation allows limited impacts: low-level disclosure of sensitive information (C:L), modification of data or configuration (I:L), and denial of service through file disruption (A:L). No elevated privileges or scope changes are involved.
Advisories from VulDB and a GitHub repository (AnalogyC0de/public_exp) detail the issue but report no vendor response despite early contact. No patches or official mitigations are available, and the exploit has been publicly disclosed, increasing the risk of active use.
In notable context, the public disclosure via GitHub issues heightens exploitation potential, though no evidence of widespread real-world attacks is documented.
Details
- CWE(s)