GHSA-mf33-gv72-w2h5

Source

https://github.com/advisories/GHSA-mf33-gv72-w2h5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mf33-gv72-w2h5/GHSA-mf33-gv72-w2h5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mf33-gv72-w2h5

Aliases

CVE-2026-45727

Published

2026-05-18T17:50:21Z

Modified

2026-05-18T18:02:39.912468Z

Severity

8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion

Details

The cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal sequences to resolve user_data_dir outside the configured data_dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, resulting in arbitrary directory deletion.

Additionally, cloakserve bound to 0.0.0.0 by default, making it network-exposed.

Impact

An attacker with network access to the cloakserve port can delete arbitrary directories accessible to the service user.

Patches

Fixed in v0.3.28.

Mitigations

Upgrade to v0.3.28 or later
Restrict network access to the cloakserve port

Database specific

{
    "github_reviewed_at": "2026-05-18T17:50:21Z",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

PyPI / cloakbrowser

Package

Name: cloakbrowser; View open source insights on deps.dev
Purl: pkg:pypi/cloakbrowser

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.3.28

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.1.10

0.1.11

0.1.12

0.2.0

0.2.1

0.2.2

0.3.0

0.3.1

0.3.2

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.3.10

0.3.11

0.3.12

0.3.13

0.3.14

0.3.15

0.3.16

0.3.17

0.3.18

0.3.19

0.3.20

0.3.21

0.3.22

0.3.23

0.3.24

0.3.25

0.3.26

0.3.27

Database specific

last_known_affected_version_range

"<= 0.3.27"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mf33-gv72-w2h5/GHSA-mf33-gv72-w2h5.json"