CVE-2026-43616
Published: 04 May 2026
Summary
CVE-2026-43616 is a medium-severity Relative Path Traversal (CWE-23) vulnerability in Horsicq Detect-It-Easy. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Detect-It-Easy versions prior to 3.21 are affected by CVE-2026-43616, a path traversal vulnerability (CWE-23) stemming from insufficient path normalization during archive extraction. This flaw enables attackers to write arbitrary files to the filesystem by crafting malicious archive entries that include relative traversal sequences or absolute paths, allowing files to be placed outside the intended extraction directory.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H), indicating it requires local access, low attack complexity, no privileges, and user interaction for exploitation. A local attacker can trick a user into processing a malicious archive within Detect-It-Easy, resulting in arbitrary file writes that enable persistent code execution, such as by overwriting user startup scripts.
Mitigation is provided in Detect-It-Easy version 3.21, available at https://github.com/horsicq/DIE-engine/releases/tag/3.21. Relevant fixes include commits https://github.com/horsicq/DIE-engine/commit/7fd300b926daf19707b2a36f0abe8b60a51308ee and https://github.com/horsicq/DIE-engine/commit/cbbe1688e58ffd430d284bf65f336973f083db69 in the DIE-engine repository, as well as https://github.com/horsicq/Formats/commit/56cdf50ee3c72c56284e2819b23e98332842d259 in the Formats repository. Additional details are in the Detect-It-Easy repository at https://github.com/horsicq/Detect-It-Easy.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27081
Vulnerability details
Detect-It-Easy prior to 3.21 contains a path traversal vulnerability that allows attackers to write arbitrary files to the filesystem by crafting malicious archive entries with relative traversal sequences or absolute paths. Attackers can exploit insufficient path normalization during archive extraction…
more
to write files outside the intended extraction directory and achieve persistent code execution by overwriting user startup scripts.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal during archive extraction directly enables arbitrary file write on the local filesystem. This can be triggered by a user opening a malicious archive file in the vulnerable tool (T1204.002) and used to achieve persistence by overwriting startup scripts or placing files in autostart locations (T1547.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and normalization of archive path inputs to block relative traversal sequences and absolute paths that enable writes outside the intended directory.
Requires integrity verification of extracted files and the Detect-It-Easy binary itself, which would detect or block the unauthorized overwrites of startup scripts resulting from the path traversal.
Mandates timely application of the vendor patch (v3.21) that implements proper path normalization, directly eliminating the CWE-23 flaw described in the CVE.