2 matches found
CVE-2026-48129
Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task inputFiles writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an inputFiles file name, ...
CVE-2026-48129
Kestra CVE-2026-48129 concerns a path traversal in the task inputFiles feature. Before versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, rendered file names could be prefixed with ../, allowing a caller handling untrusted data or webhook data to create or overwrite files outside the task working direc...