CVE-2026-32733
- Source
- https://cve.org/CVERecord?id=CVE-2026-32733
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32733.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-32733
- Aliases
-
- GHSA-fqrv-rfg4-rv89
- Published
- 2026-03-20T22:37:39.365Z
- Modified
- 2026-04-02T13:41:36.893662Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Halloy has a file transfer path traveral vulnerability
- Details
-
Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming
DCC SENDrequests. A remote IRC user could send a filename with path traversal sequences like../../.ssh/authorized_keysand the file would be written outside the user's configuredsave_directory. With auto-accept enabled this required zero interaction from the victim. Starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, all identified code paths sanitize filenames through a sharedsanitize_filenamefunction. - Database specific
{ "cwe_ids": [ "CWE-22" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32733.json", "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/squidowl/halloy
Affected ranges
- Type
- GIT
- Repo
- https://github.com/squidowl/halloy
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
2023.*
2023.2
2023.3
2023.4
2023.5
2024.*
2024.1
2024.10
2024.11
2024.12
2024.13
2024.14
2024.2
2024.3
2024.4
2024.5
2024.6
2024.7
2024.8
2024.9
2025.*
2025.1
2025.10
2025.11
2025.12
2025.2
2025.3
2025.4
2025.5
2025.6
2025.7
2025.8
2025.9
2026.*
2026.1
2026.1.1
2026.2
2026.3
2026.4
23.*
23.1-alpha1