Path Traversal Vulnerability in DeepCode Product by HKUDS
CVE-2026-32847

8.7HIGH

Key Information:

Vendor: Hkuds
Status: Deepcode
Vendor: CVE Published:; 28 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-32847?

DeepCode contains a path traversal vulnerability located in the SPA catch-all route within new_ui/backend/main.py. This flaw allows unauthenticated users to exploit the system by providing percent-encoded path segments via the GET /{full_path:path} endpoint. By circumventing Starlette's path normalization, attackers can manipulate the paths to traverse outside of the designated FRONTEND_DIST directory. This exploitation may lead to unauthorized access to sensitive files, including SSH private keys, TLS certificates, and application secrets, all through a simple HTTP request.

Affected Version(s)

DeepCode 0 <= 1.2.0

DeepCode 0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-32847 - Proof of Concept

References

https://github.com/HKUDS/DeepCode/issues/126

exploitissue-tracking

https://www.vulncheck.com/advisories/deepcode-path-traver...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 28, 2026
👾
Exploit known to exist
May 28, 2026
Vulnerability published
May 28, 2026
Vulnerability Reserved
Mar 16, 2026

Credit

YU SUN

CVE-2026-32847 Data

JSON

Hkuds

Badges

What is CVE-2026-32847?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit