CVE-2026-33344

High CVSS: 8.1

Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1.

Vendor

Dagu

Product

Dagu

CWE

CWE-22

Yayın Tarihi

2026-03-24 20:16:28

Güncelleme

2026-03-26 13:03:13

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Dagu HIGH Dagu 2026

Referanslar

https://github.com/dagu-org/dagu/commit/7d07fda8f9de3ae73dfb081ccd0639f8059c56bb https://github.com/dagu-org/dagu/security/advisories/GHSA-ph8x-4jfv-v9v8

Benzer Kayıtlar

High

CVE-2026-31882

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic au…

Critical

CVE-2026-31886

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the…

High

CVE-2026-27598

Dagu is a workflow engine with a built-in Web user interface. In versions up to and including 1.16.7, the `CreateNewDAG`…