| Title | https://github.com/bolo-blog/bolo-solo/ bolo-solo V2.6.4 Write any file |
|---|
| Description | A path traversal vulnerability exists in the /import/markdown endpoint of bolo-solo version 2.6.4_stable. The application uses an unsafe ZIP extraction routine (unpackFilteredZip) that fails to sanitize or validate file paths within uploaded ZIP archives. Specifically, the function constructs output file paths using new File(outputDir, entryName) without canonicalizing or restricting the entry name to the intended output directory. As a result, an authenticated attacker (typically with admin privileges) can upload a malicious ZIP file containing entries with path traversal sequences (e.g., ../../../etc/passwd or ../../static/poc.html). Upon extraction, arbitrary files can be written to any location on the filesystem where the application process has write permissions. This may lead to remote code execution (e.g., via webshell upload), configuration file overwrite, or denial of service. |
|---|
| Source | ⚠️ https://github.com/bolo-blog/bolo-solo/issues/326 |
|---|
| User | MaoQiu (UID 94327) |
|---|
| Submission | 01/20/2026 03:40 (5 months ago) |
|---|
| Moderation | 02/03/2026 15:04 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 343978 [bolo-blog bolo-solo up to 2.6.4 ZIP File BackupService.java unpackFilteredZip path traversal] |
|---|
| Points | 20 |
|---|