Cyber Resilience

CVE-2026-44933

High

Published: 20 May 2026

Published
20 May 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0021 11.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-44933 is a high-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Suse (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

`PluginScript` attempts to `chroot` the plugin to the `repoManagerRoot`, this root is frequently `/` (the system root) in standard configurations or when using `--root`. If the chroot target is `/`, it is a no-op, allowing the traversed path to execute…

more

host binaries (like `/bin/bash`) with root privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
Why these techniques?

Chroot to '/' is a no-op enabling host binary execution (e.g. /bin/bash) as root; directly maps to privilege escalation via exploitation and escape to host.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42930Shared CWE-35
CVE-2025-59793Shared CWE-35
CVE-2025-26356Shared CWE-35
CVE-2025-26354Shared CWE-35
CVE-2026-25397Shared CWE-35
CVE-2025-59099Shared CWE-35
CVE-2026-25705Shared CWE-35
CVE-2024-54362Shared CWE-35
CVE-2026-7302Shared CWE-35
CVE-2026-20034Shared CWE-35

Affected Assets

Suse
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References