PYSEC-2026-1967

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/tiny-scientist/PYSEC-2026-1967.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1967
Aliases
Published
2026-07-07T16:03:00.787606Z
Modified
2026-07-07T17:48:05.321893729Z
Severity
  • 6.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
TinyScientist has Path Traversal Vulnerability in PDF Review Function (CWE-22)
Details

Description

A critical path traversal vulnerability (CWE-22) has been identified in the review_paper function in backend/app.py. The vulnerability allows malicious users to access arbitrary PDF files on the server by providing crafted file paths that bypass the intended security restrictions.

Impact

This vulnerability allows attackers to: - Read any PDF file accessible to the server process - Potentially access sensitive documents outside the intended directory - Perform reconnaissance on the server's file system structure

Vulnerable Code

The issue occurs in the review_paper function around line 744:

if pdf_path.startswith("/api/files/"):
    # Safe path handling for API routes
    relative_path = pdf_path[len("/api/files/"):]
    generated_base = os.path.join(project_root, "generated")
    absolute_pdf_path = os.path.join(generated_base, relative_path)
else:
    absolute_pdf_path = pdf_path  # VULNERABLE: Direct use of user input

Proof of Concept

curl -X POST http://localhost:5000/api/review \
  -H "Content-Type: application/json" \
  -d '{"pdf_path": "/etc/passwd"}'

Credit

This vulnerability was discovered and reported by Ruizhe.

References

Affected packages

PyPI / tiny-scientist

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.1.0

Affected versions

0.*
0.0.1b0
0.0.1
0.0.2
0.0.3
0.0.4
0.1.0
0.1.1
0.1.2
0.1.3

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/tiny-scientist/PYSEC-2026-1967.yaml"