cvedb.io
CVE-2026-12568
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2026-06-17T23:17:03.340 · Last modified 2026-06-22T17:45:43.473

Summary

The postman_download module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker to write arbitrary files to the user's system.

Does this affect you?

Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.