CVE Catalog

CVE-2026-58170

HighCVSS 8.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

33th percentile — higher than 33% of all known CVEs

Summary

A path traversal vulnerability in Vibe-Trading before version 0.1.10 allows an attacker to load a controlled JSON file as an authoritative trading mandate by manipulating the proposal identifier. Combined with the file upload endpoint, an admitted caller can fully control the committed mandate, bypassing ceilings validation.

Risk Assessment

The risk is that an attacker can fully control the trading mandate, potentially leading to unauthorized transactions and financial losses.

Recommendation

Upgrade Vibe-Trading to version 0.1.10 or later, which fixes the path traversal vulnerability.

Original NVD description (English source)

Vibe-Trading before 0.1.10 builds the proposal file path by joining a caller-supplied proposal identifier onto the broker proposals directory without sanitization (agent/src/live/mandate/commit.py). A proposal identifier containing path traversal sequences causes the application to load an attacker-controlled JSON file as an authoritative live trading mandate. Combined with the file upload endpoint, an admitted caller can write a JSON file to a known location and traverse to it, and because the ceilings validation is skipped when ceilings are absent, the attacker fully controls the committed mandate.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS