{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-44948","assignerOrgId":"404e59f5-483d-4b8a-8e7a-e67604dd8afb","state":"PUBLISHED","assignerShortName":"suse","dateReserved":"2026-05-08T12:29:48.969Z","datePublished":"2026-06-30T15:12:17.346Z","dateUpdated":"2026-06-30T16:00:33.240Z"},"containers":{"cna":{"providerMetadata":{"orgId":"404e59f5-483d-4b8a-8e7a-e67604dd8afb","shortName":"suse","dateUpdated":"2026-06-30T15:12:17.346Z"},"title":"Path Traversal in Rancher Fleet ImageScan GitRepo Path Handler","datePublic":"2026-06-29T15:08:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-23","description":"CWE-23 Relative path traversal","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-126","descriptions":[{"lang":"en","value":"CAPEC-126 Path Traversal"}]}],"affected":[{"vendor":"SUSE","product":"Rancher","packageName":"Fleet","repo":"https://github.com/rancher/fleet/","versions":[{"status":"affected","version":"0.12.0","lessThan":"0.12.16","versionType":"semver"},{"status":"affected","version":"0.13.0","lessThan":"0.13.12","versionType":"semver"},{"status":"affected","version":"0.14.0","lessThan":"0.14.7","versionType":"semver"},{"status":"affected","version":"0.15.0","lessThan":"0.15.3","versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"A path traversal vulnerability was found in Fleet's ImageScan subsystem in Rancher Fleet 0.12.0 up to 0.12.16, 0.13.0 up to 0.13.12, 0.14.0 up to 0.14.7 and 0.15.0 up to 0.15.3 could be used to traverse outside of the intended directory, causing a denial of service.","supportingMedia":[{"type":"text/html","base64":false,"value":"A path traversal vulnerability was found in Fleet's ImageScan subsystem in Rancher Fleet 0.12.0 up to 0.12.16, 0.13.0 up to 0.13.12, 0.14.0 up to 0.14.7 and 0.15.0 up to 0.15.3 could be used to traverse outside of the intended directory, causing a denial of service."}]}],"references":[{"url":"https://github.com/rancher/fleet/security/advisories/GHSA-c45g-6c2c-rj3p","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"MEDIUM","baseScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"}}],"credits":[{"lang":"en","value":"Sergey Kanibor","type":"finder"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-30T15:59:49.142430Z","id":"CVE-2026-44948","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-30T16:00:33.240Z"}}]}}