CVE-2026-28676HIGH 8.8EPSS p34.2%

CVE-2026-28676CVE-2026-28676

Description

OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, multiple storage helpers used path construction patterns that did not uniformly enforce base-directory containment. This created path-injection risk in file read/write/delete flows if malicious path-like values were introduced. This issue has been patched in version 1.6.3-alpha.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.43% probability of exploitation · percentile 34.2% · 2026-06-19T12:03:05Z
Published2026-03-06
Last modified2026-03-18

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/OpenSift/OpenSift/commit/1126e0a503876056a68a434e19f64158a5a4840b
  2. https://github.com/OpenSift/OpenSift/commit/de99b9c
  3. https://github.com/OpenSift/OpenSift/pull/67
  4. https://github.com/OpenSift/OpenSift/releases/tag/v1.6.3-alpha
  5. https://github.com/OpenSift/OpenSift/security/advisories/GHSA-ww4m-c7hv-2rqv

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-28677
CVE
CVE-2026-27169
CVE
CVE-2026-28453
CVE
CVE-2026-41863
CVE
CVE-2026-32060
CVE
CVE-2026-32055
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.