CVE-2026-8770

LOW

continuedev continue JSON-RPC Server lsTool.ts lsTool path traversal

Title source: cna

Description

A vulnerability was identified in continuedev continue up to 1.2.22. This affects the function lsTool of the file core/tools/implementations/lsTool.ts of the component JSON-RPC Server. Such manipulation of the argument dirPath leads to path traversal. An attack has to be approached locally. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-364395 | continuedev continue JSON-RPC Server lsTool.ts lsTool path traversal

https://vuldb.com/vuln/364395

Signature, Permissions Required signature permissions-required

VDB-364395 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/364395/cti

Third Party Advisory third-party-advisory

Submit #811428 | continuedev continue v1.2.22-vscode Path Traversal (CWE-22)

https://vuldb.com/submit/811428

Exploit exploit

https://gist.github.com/YLChen-007/da04e032993a4b2324df915f9ecf9831

Scores

CVSS v3 3.3

EPSS 0.0026

EPSS Percentile 16.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (25)

continue/continue < 1.2.22

continue/continue 1.2.0 - 1.2.22

continuedev/continue 1.2.0

continuedev/continue 1.2.1

continuedev/continue 1.2.10

continuedev/continue 1.2.11

continuedev/continue 1.2.12

continuedev/continue 1.2.13

continuedev/continue 1.2.14

continuedev/continue 1.2.15

... and 15 more

Published May 18, 2026

Tracked Since May 18, 2026