cvedb.io
CVE-2026-22786
HIGH · CVSS 7.2
EPSS exploitation probability: 0%
Published 2026-01-12T22:16:08.190 · Last modified 2026-06-17T10:20:25.513

Summary

Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../). An attacker with file upload privileges could exploit this vulnerability.

Affected products

gin-vue-admin_project — gin-vue-admin

Does this affect you?

Add your gear to cvedb and we'll alert you only when gin-vue-admin_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.