Cyber Resilience

CVE-2026-3051

MediumPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 32.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3051 is a medium-severity Path Traversal (CWE-22) vulnerability in Dinky Dinky. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-3051 is a path traversal vulnerability (CWE-22) affecting DataLinkDC dinky versions up to 1.2.5. The issue resides in the getProjectDir function within the file dinky-admin/src/main/java/org/dinky/utils/GitRepository.java, part of the Project Name Handler component. By manipulating the projectName argument, an attacker can traverse directories, potentially accessing or modifying files outside the intended scope. The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility and low privilege requirements.

The attack can be performed remotely by an authenticated user with low privileges (PR:L), requiring no user interaction. Successful exploitation allows limited impacts: low-level disclosure of sensitive information (C:L), modification of data or configuration (I:L), and denial of service through file disruption (A:L). No elevated privileges or scope changes are involved.

Advisories from VulDB and a GitHub repository (AnalogyC0de/public_exp) detail the issue but report no vendor response despite early contact. No patches or official mitigations are available, and the exploit has been publicly disclosed, increasing the risk of active use.

In notable context, the public disclosure via GitHub issues heightens exploitation potential, though no evidence of widespread real-world attacks is documented.

EU & UK References

Vulnerability details

A vulnerability has been found in DataLinkDC dinky up to 1.2.5. The affected element is the function getProjectDir of the file dinky-admin/src/main/java/org/dinky/utils/GitRepository.java of the component Project Name Handler. Such manipulation of the argument projectName leads to path traversal. The attack…

more

may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Path traversal in getProjectDir directly enables reading arbitrary files (T1005 Data from Local System, T1083 File and Directory Discovery) and modifying files outside intended scope (T1565.001 Stored Data Manipulation).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3052Same product: Dinky Dinky
CVE-2026-3053Same product: Dinky Dinky
CVE-2021-47849Shared CWE-22
CVE-2024-57784Shared CWE-22
CVE-2025-1335Shared CWE-22
CVE-2025-68953Shared CWE-22
CVE-2026-44973Shared CWE-22
CVE-2026-34911Shared CWE-22
CVE-2025-60946Shared CWE-22
CVE-2026-6024Shared CWE-22

Affected Assets

dinky
dinky
≤ 1.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Rejects or sanitizes the untrusted projectName argument before it reaches getProjectDir, directly blocking the ../ sequences that enable path traversal.

prevent

Enforces the intended file-system access policy so that even an authenticated user cannot read or write outside the designated project directory.

detect

Monitors for anomalous file-system operations or directory traversal patterns originating from the Project Name Handler.

References