Main Vulnerability Database SB2026050529

SB2026050529 - Path traversal in Traefik

Published: May 5, 2026

Security Bulletin ID SB2026050529

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2025-54386)

The vulnerability allows a remote user to overwrite arbitrary files and execute arbitrary code.

The vulnerability exists due to path traversal in the unzipFile function in /plugins/client.go when extracting a crafted WASM plugin ZIP archive. A remote privileged user can supply a malicious ZIP archive containing ../ sequences to overwrite arbitrary files and execute arbitrary code.

Exploitation requires plugins to be enabled and a WASM plugin asset loaded by the server, and user interaction is required.

Remediation

Install update from vendor's website.

References

https://github.com/traefik/traefik/security/advisories/GHSA-q6gg-9f92-r9wg
https://github.com/traefik/traefik/commit/5ef853a0c53068f69a6c229a5815a0dc6e0a8800