Path Traversal Vulnerability in Ferret's IO::FS::WRITE Function
CVE-2026-34783

8.1HIGH

Key Information:

Vendor: Montferret
Status: Ferret
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-34783?

A path traversal vulnerability exists in the IO::FS::WRITE function of Ferret, a declarative web data processing system. This flaw allows attackers to exploit filenames containing traversal sequences (../) while scraping web data. Consequently, this manipulation can lead to the construction of arbitrary output paths, giving attackers control over both the destination and content of files written to the filesystem. The implications of this vulnerability are severe, potentially enabling remote code execution through malicious cron jobs, SSH authorized_keys configurations, shell profiles, or the insertion of web shells. The issue has been addressed in version 2.0.0-alpha.4.

Affected Version(s)

ferret < 2.0.0-alpha.4

References

https://github.com/MontFerret/ferret/security/advisories/...

x_refsource_CONFIRM

https://github.com/MontFerret/ferret/commit/160ebad6bd50f...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34783 Data

JSON

Montferret

What is CVE-2026-34783?

Affected Version(s)

References

CVSS V3.1

Timeline