Lucene search
K

12 matches found

SUSE CVE
SUSE CVE
added 2026/03/25 12:24 a.m.3 views

SUSE CVE-2026-31886

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves...

9.1CVSS6.1AI score0.00421EPSS
Exploits1References3
Snyk
Snyk
added 2026/03/13 8:41 p.m.1 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the dagRunId request field in the inline DAG execution endpoints, which is passed directly into filepath.Join without format validation. An attacker can cause arbitrary directory deletion by supplying crafted...

9.1CVSS6.3AI score0.00421EPSS
Exploits1References2
OSV
OSV
added 2026/03/13 7:53 p.m.4 views

GO-2026-4693 Dagu: Path Traversal via `dagRunId` in Inline DAG Execution in github.com/dagu-org/dagu

Dagu: Path Traversal via dagRunId in Inline DAG Execution in github.com/dagu-org/dagu...

9.1CVSS5.8AI score0.00421EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/13 7:32 p.m.27 views

CVE-2026-31886 Dagu has a Path Traversal via `dagRunId` in Inline DAG Execution

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves...

9.1CVSS0.00421EPSS
Exploits1References2
OSV
OSV
added 2026/03/13 7:32 p.m.5 views

CVE-2026-31886 Dagu has a Path Traversal via `dagRunId` in Inline DAG Execution

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves...

9.1CVSS6AI score0.00421EPSS
Exploits1References4
CVE
CVE
added 2026/03/13 7:32 p.m.16 views

CVE-2026-31886

CVE-2026-31886 affects Dagu (workflow engine) prior to 2.2.4. The dagRunId parameter used by inline DAG execution endpoints is passed into filepath.Join without validation, allowing a directory traversal (e.g., ".."). Go’s Join resolves such paths to system temp directories (like /tmp), and a def...

9.1CVSS6AI score0.00421EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/13 7:32 p.m.2 views

CVE-2026-31886 Dagu has a Path Traversal via `dagRunId` in Inline DAG Execution

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves...

9.1CVSS6AI score0.00421EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/13 3:40 p.m.5 views

EUVD-2026-12089

Dagu: Path Traversal via dagRunId in Inline DAG Execution...

9.1CVSS5.8AI score0.00421EPSS
Exploits1References2
OSV
OSV
added 2026/03/13 3:40 p.m.7 views

GHSA-M4Q3-457P-HH2X Dagu: Path Traversal via `dagRunId` in Inline DAG Execution

Vulnerability Summary The dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as...

9.1CVSS6.2AI score0.00421EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/03/13 3:40 p.m.6 views

Dagu: Path Traversal via `dagRunId` in Inline DAG Execution

Vulnerability Summary The dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as...

9.1CVSS6.2AI score0.00421EPSS
Exploits1References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/13 12:0 a.m.7 views

PT-2026-25326

Dagu and Affected Versions Dagu versions prior to 2.2.4 Description Dagu, a workflow engine, contains a path traversal flaw in the inline DAG execution endpoints. The dagRunId request field is passed directly into filepath.Join without proper validation, allowing an attacker to redirect the...

9.9CVSS7.4AI score0.22162EPSS
Exploits69References139
Github Security Blog
Github Security Blog
added 2026/02/19 10:4 p.m.8 views

Dagu affected by unauthenticated RCE via inline DAG spec in default configuration

Summary Dagu's default configuration ships with authentication disabled. The POST /api/v2/dag-runs endpoint accepts an inline YAML spec and executes its shell commands immediately with no credentials required — any dagu instance reachable over the network is fully compromised by default. Details...

6AI score
Exploits0References2Affected Software1
Rows per page
Query Builder