CVE-2026-49136
HIGHBanana Slides <= 0.4.0 - Unauthenticated Path Traversal via AI Service generate_image Function
Title source: llmDescription
Banana Slides through 0.4.0, patched in commit e8bc490, contains a path traversal vulnerability in the generate_image() function within the AI service backend that allows unauthenticated attackers to read arbitrary image-format files outside the intended uploads directory by exploiting an incomplete path prefix check using os.path.startswith() without a trailing separator. Attackers can supply crafted markdown image references in user-controlled page descriptions that resolve to sibling directories whose names share the uploads folder prefix, bypassing the directory confinement check and causing the application to read files from unintended locations via PIL Image.open().
References (4)
Core 4
Core References
Issue Tracking technical-description
exploit
https://github.com/Anionex/banana-slides/issues/429
Issue Tracking issue-tracking
https://github.com/Anionex/banana-slides/pull/430
Patch patch
https://github.com/Anionex/banana-slides/commit/e8bc490ec8b4b657e07dc3ab4e94fbedcaade421
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/banana-slides-path-traversal-via-generate-image-in-ai-service-py
Scores
CVSS v3
7.5
EPSS
0.0042
EPSS Percentile
33.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
Anionex/banana-slides
< 0.4.0
Anionex/banana-slides
e8bc490ec8b4b657e07dc3ab4e94fbedcaade421
Published
Jun 01, 2026
Tracked Since
Jun 02, 2026