Cyber Posture

CVE-2026-43616

HighPublic PoC

Published: 04 May 2026

Published
04 May 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS Score 0.0002 4.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Detect-It-Easy prior to 3.21 contains a path traversal vulnerability that allows attackers to write arbitrary files to the filesystem by crafting malicious archive entries with relative traversal sequences or absolute paths. Attackers can exploit insufficient path normalization during archive extraction…

more

to write files outside the intended extraction directory and achieve persistent code execution by overwriting user startup scripts.

Security SummaryAI

Detect-It-Easy versions prior to 3.21 are affected by CVE-2026-43616, a path traversal vulnerability (CWE-23) stemming from insufficient path normalization during archive extraction. This flaw enables attackers to write arbitrary files to the filesystem by crafting malicious archive entries that include relative traversal sequences or absolute paths, allowing files to be placed outside the intended extraction directory.

The vulnerability has a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H), indicating it requires local access, low attack complexity, no privileges, and user interaction for exploitation. A local attacker can trick a user into processing a malicious archive within Detect-It-Easy, resulting in arbitrary file writes that enable persistent code execution, such as by overwriting user startup scripts.

Mitigation is provided in Detect-It-Easy version 3.21, available at https://github.com/horsicq/DIE-engine/releases/tag/3.21. Relevant fixes include commits https://github.com/horsicq/DIE-engine/commit/7fd300b926daf19707b2a36f0abe8b60a51308ee and https://github.com/horsicq/DIE-engine/commit/cbbe1688e58ffd430d284bf65f336973f083db69 in the DIE-engine repository, as well as https://github.com/horsicq/Formats/commit/56cdf50ee3c72c56284e2819b23e98332842d259 in the Formats repository. Additional details are in the Detect-It-Easy repository at https://github.com/horsicq/Detect-It-Easy.

Details

CWE(s)
CWE-23

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
T1547.001 Registry Run Keys / Startup Folder Persistence
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.
attack.mitre.org →
Why these techniques?

Path traversal during archive extraction directly enables arbitrary file write on the local filesystem. This can be triggered by a user opening a malicious archive file in the vulnerable tool (T1204.002) and used to achieve persistence by overwriting startup scripts or placing files in autostart locations (T1547.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References