CVE-2026-58171
MEDIUMVibe-Trading < 0.1.10 - Path Traversal via Swarm Run Identifier
Title source: cnaDescription
Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in run_dir (agent/src/swarm/store.py). A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary run.json files outside the runs directory and to overwrite existing run.json files at traversed locations.
References (4)
Core 4
Core References
Release Notes release-notes
Release Notes
https://github.com/HKUDS/Vibe-Trading/releases/tag/v0.1.10
Patch patch
Fix Commit
https://github.com/HKUDS/Vibe-Trading/commit/f45fd85392f07b5e404e41d4fcb0ef0d6c2f87ab
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/vibe-trading-path-traversal-via-swarm-run-identifier
Scores
CVSS v3
4.2
EPSS
0.0025
EPSS Percentile
16.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
HKUDS/Vibe-Trading
< 0.1.10
Published
Jun 30, 2026
Tracked Since
Jun 30, 2026