12 matches found
SUSE CVE-2026-31886
Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the dagRunId request field in the inline DAG execution endpoints, which is passed directly into filepath.Join without format validation. An attacker can cause arbitrary directory deletion by supplying crafted...
GO-2026-4693 Dagu: Path Traversal via `dagRunId` in Inline DAG Execution in github.com/dagu-org/dagu
Dagu: Path Traversal via dagRunId in Inline DAG Execution in github.com/dagu-org/dagu...
CVE-2026-31886 Dagu has a Path Traversal via `dagRunId` in Inline DAG Execution
Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves...
CVE-2026-31886 Dagu has a Path Traversal via `dagRunId` in Inline DAG Execution
Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves...
CVE-2026-31886
CVE-2026-31886 affects Dagu (workflow engine) prior to 2.2.4. The dagRunId parameter used by inline DAG execution endpoints is passed into filepath.Join without validation, allowing a directory traversal (e.g., ".."). Go’s Join resolves such paths to system temp directories (like /tmp), and a def...
CVE-2026-31886 Dagu has a Path Traversal via `dagRunId` in Inline DAG Execution
Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves...
EUVD-2026-12089
Dagu: Path Traversal via dagRunId in Inline DAG Execution...
GHSA-M4Q3-457P-HH2X Dagu: Path Traversal via `dagRunId` in Inline DAG Execution
Vulnerability Summary The dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as...
Dagu: Path Traversal via `dagRunId` in Inline DAG Execution
Vulnerability Summary The dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as...
PT-2026-25326
Dagu and Affected Versions Dagu versions prior to 2.2.4 Description Dagu, a workflow engine, contains a path traversal flaw in the inline DAG execution endpoints. The dagRunId request field is passed directly into filepath.Join without proper validation, allowing an attacker to redirect the...
Dagu affected by unauthenticated RCE via inline DAG spec in default configuration
Summary Dagu's default configuration ships with authentication disabled. The POST /api/v2/dag-runs endpoint accepts an inline YAML spec and executes its shell commands immediately with no credentials required — any dagu instance reachable over the network is fully compromised by default. Details...