CVE-2026-6615

High

Published: 20 April 2026

Published

20 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0009 24.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6615 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validating and sanitizing the manipulated 'Name' argument in the Upload function to block path traversal sequences like '../'.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and remediation of the specific path traversal flaw in superagi/controllers/resources.py, including compensating controls given vendor non-response.

AC-6 Least Privilege partial match

prevent

Least privilege restricts the upload handler process to minimal file system access, limiting damage from successful path traversal to unintended locations.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

Why these techniques?

Path traversal in public-facing upload handler allows remote unauth file read (T1005) and arbitrary file write (T1105); directly exploitable as public-facing app vuln (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A weakness has been identified in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function Upload of the file superagi/controllers/resources.py of the component Multipart Upload Handler. This manipulation of the argument Name causes path traversal. It is…

possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-6615 is a path traversal vulnerability (CWE-22) affecting TransformerOptimus SuperAGI versions up to 0.0.14. The flaw exists in the Upload function within the file superagi/controllers/resources.py, part of the Multipart Upload Handler component. Attackers can exploit it by manipulating the "Name" argument to traverse paths outside intended directories.

The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), making it exploitable remotely by unauthenticated attackers with low attack complexity and no user interaction required. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as reading or modifying files in unintended locations.

Advisories referenced in VulDB entries (vuldb.com/vuln/358250 and related pages) detail the issue, while a GitHub Gist provides a public proof-of-concept exploit. The vendor was contacted early regarding disclosure but provided no response, and no patches or official mitigations are available in the provided references.

An exploit has been made publicly available and could be used for attacks, with no reported real-world exploitation status in the inputs.

Details

CWE(s): CWE-22

CVEs Like This One

CVE-2026-3795Shared CWE-22

CVE-2026-33183Shared CWE-22

CVE-2026-7214Shared CWE-22

CVE-2026-40876Shared CWE-22

CVE-2026-23536Shared CWE-22

CVE-2025-23422Shared CWE-22

CVE-2025-8343Shared CWE-22

CVE-2025-10559Shared CWE-22

CVE-2025-67076Shared CWE-22

CVE-2026-5258Shared CWE-22

References

https://gist.github.com/YLChen-007/300843c707435540ce0e23bff3e6173a
cna@vuldb.com
https://vuldb.com/submit/791083
cna@vuldb.com
https://vuldb.com/vuln/358250
cna@vuldb.com
https://vuldb.com/vuln/358250/cti
cna@vuldb.com