PYSEC-2026-2521

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/instructlab/PYSEC-2026-2521.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2521
Aliases
Published
2026-07-13T15:02:52.619367Z
Modified
2026-07-13T16:31:57.430706740Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
InstructLab vulnerable to Path Traversal
Details

A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the logs_dir parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to unauthorized data modification or disclosure.

References

Affected packages

PyPI / instructlab

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.26.1

Affected versions

0.*
0.14.0
0.15.1
0.16.0
0.16.1
0.17.0
0.17.1
0.17.2
0.18.0a1
0.18.0a2
0.18.0a3
0.18.0a4
0.18.0a5
0.18.0a6
0.18.0a7
0.18.0b1
0.18.0b2
0.18.0b3
0.18.0b4
0.18.0b5
0.18.0b6
0.18.0rc1
0.18.0rc2
0.18.0rc3
0.18.0rc4
0.18.0rc5
0.18.0rc6
0.18.0rc7
0.18.0
0.18.1
0.18.2
0.18.3
0.18.4
0.19.0a1
0.19.0b1
0.19.0rc1
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.19.5
0.20.0a1
0.20.0a2
0.20.0
0.20.1
0.21.0a0
0.21.0a1
0.21.0
0.21.1
0.21.2
0.22.0
0.22.1
0.22.2
0.23.0a0
0.23.0rc0
0.23.0
0.23.1
0.23.2
0.23.3
0.23.4
0.23.5
0.24.0
0.24.1
0.24.2a0
0.24.2
0.24.3
0.25
0.26.0a1
0.26.0
0.26.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/instructlab/PYSEC-2026-2521.yaml"