CVE-2026-33344 in dagu-org dagu
Résumé (Anglaise)
Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1.
Responsable
GitHub_M
Réserver
18/03/2026
Divulgation
24/03/2026
Entrées
| ID | Vulnérabilité | CWE | Base | Temp | 0day | Aujourd'hui | Exp | KEV | EPSS | CTI | Con | CVE |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 352869 | dagu-org dagu API generateFilepath directory traversal | 22 | 7.2 | 7.0 | $0-$5k | $0-$5k | Non défini | 0.00021 | 0.47 | Correctif officiel | CVE-2026-33344 |