Path traversal in Discourse - CVE-2022-36066
Published: September 29, 2022 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to path traversal in archive extraction when processing a maliciously crafted Zip or Gzip Tar archive upload. A remote privileged user can upload a specially crafted archive to execute arbitrary code.
The issue allows writing files to arbitrary locations before code execution is triggered.