Path Traversal Vulnerability in Vibe-Trading Application by HKUDS
CVE-2026-58171

2.3LOW

Key Information:

Vendor: Hkuds
Status: Vibe-trading
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-58171?

The Vibe-Trading application, prior to version 0.1.10, is susceptible to a path traversal vulnerability that allows attackers to manipulate the swarm run directory. When a crafted run identifier is supplied through the MCP swarm tools, it enables the application to access arbitrary 'run.json' files outside the designated runs directory. This flaw could lead to unauthorized file reading and potential overwriting of existing files at traversed locations, creating significant security risks.

Affected Version(s)

Vibe-Trading 0 < 0.1.10

References

https://github.com/HKUDS/Vibe-Trading/releases/tag/v0.1.10

release-notes

https://github.com/HKUDS/Vibe-Trading/pull/258

issue-tracking

https://github.com/HKUDS/Vibe-Trading/commit/f45fd85392f0...

patch

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 29, 2026

Credit

Chia Min Jun Lennon

CVE-2026-58171 Data

JSON

Hkuds

What is CVE-2026-58171?

Affected Version(s)

References

CVSS V4

Timeline

Credit