GHSA-9cp7-j3f8-p5jx: Daptin has Unauthenticated Path Traversal and Zip Slip

April 10, 2026

The cloudstore.file.upload action in server/actions/action_cloudstore_file_upload.go writes user-supplied filenames directly to disk without proper validation.

This allows unauthenticated attackers to perform path traversal and zip slip attacks, leading to arbitrary file write and potential remote code execution.

CVSS Score: 10.0 Critical CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H CWE: CWE-22 (Path Traversal)

References

github.com/advisories/GHSA-9cp7-j3f8-p5jx
github.com/daptin/daptin
github.com/daptin/daptin/commit/8d626bbb14f82160a08cbca53e0749f475f5742c
github.com/daptin/daptin/security/advisories/GHSA-9cp7-j3f8-p5jx

Code Behaviors & Features

Detect and mitigate GHSA-9cp7-j3f8-p5jx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →