CVE-2026-28427
HIGHOpenDeck < 2.8.1 - Path Traversal via Plugin Static File Request
Title source: llmDescription
OpenDeck is Linux software for your Elgato Stream Deck. Prior to 2.8.1, the service listening on port 57118 serves static files for installed plugins but does not properly sanitize path components. By including ../ sequences in the request path, an attacker can traverse outside the intended directory and read any file OpenDeck can access. This vulnerability is fixed in 2.8.1.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nekename/OpenDeck/security/advisories/GHSA-4974-g27q-h5m8
Scores
CVSS v3
7.5
EPSS
0.0043
EPSS Percentile
34.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
CWE-24
Status
published
Products (1)
nekename/opendeck
< 2.8.1
Published
Mar 04, 2026
Tracked Since
Mar 05, 2026