Cyber Resilience

CVE-2026-43616

MediumPublic PoCUpdated

Published: 04 May 2026

Published
04 May 2026
Modified
29 May 2026
KEV Added
Patch
CVSS Score v4 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0009 24.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-43616 is a medium-severity Relative Path Traversal (CWE-23) vulnerability in Horsicq Detect-It-Easy. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Detect-It-Easy versions prior to 3.21 are affected by CVE-2026-43616, a path traversal vulnerability (CWE-23) stemming from insufficient path normalization during archive extraction. This flaw enables attackers to write arbitrary files to the filesystem by crafting malicious archive entries that include relative traversal sequences or absolute paths, allowing files to be placed outside the intended extraction directory.

The vulnerability has a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H), indicating it requires local access, low attack complexity, no privileges, and user interaction for exploitation. A local attacker can trick a user into processing a malicious archive within Detect-It-Easy, resulting in arbitrary file writes that enable persistent code execution, such as by overwriting user startup scripts.

Mitigation is provided in Detect-It-Easy version 3.21, available at https://github.com/horsicq/DIE-engine/releases/tag/3.21. Relevant fixes include commits https://github.com/horsicq/DIE-engine/commit/7fd300b926daf19707b2a36f0abe8b60a51308ee and https://github.com/horsicq/DIE-engine/commit/cbbe1688e58ffd430d284bf65f336973f083db69 in the DIE-engine repository, as well as https://github.com/horsicq/Formats/commit/56cdf50ee3c72c56284e2819b23e98332842d259 in the Formats repository. Additional details are in the Detect-It-Easy repository at https://github.com/horsicq/Detect-It-Easy.

EU & UK References

Vulnerability details

Detect-It-Easy prior to 3.21 contains a path traversal vulnerability that allows attackers to write arbitrary files to the filesystem by crafting malicious archive entries with relative traversal sequences or absolute paths. Attackers can exploit insufficient path normalization during archive extraction…

more

to write files outside the intended extraction directory and achieve persistent code execution by overwriting user startup scripts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1547.001 Registry Run Keys / Startup Folder Persistence
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.
Why these techniques?

Path traversal during archive extraction directly enables arbitrary file write on the local filesystem. This can be triggered by a user opening a malicious archive file in the vulnerable tool (T1204.002) and used to achieve persistence by overwriting startup scripts or placing files in autostart locations (T1547.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-26349Shared CWE-23
CVE-2025-53082Shared CWE-23
CVE-2025-27553Shared CWE-23
CVE-2026-43533Shared CWE-23
CVE-2026-41551Shared CWE-23
CVE-2025-55747Shared CWE-23
CVE-2026-31831Shared CWE-23
CVE-2025-64446Shared CWE-23
CVE-2026-29778Shared CWE-23
CVE-2025-23011Shared CWE-23

Affected Assets

horsicq
detect-it-easy
≤ 3.21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and normalization of archive path inputs to block relative traversal sequences and absolute paths that enable writes outside the intended directory.

preventdetect

Requires integrity verification of extracted files and the Detect-It-Easy binary itself, which would detect or block the unauthorized overwrites of startup scripts resulting from the path traversal.

prevent

Mandates timely application of the vendor patch (v3.21) that implements proper path normalization, directly eliminating the CWE-23 flaw described in the CVE.

References