CVE-2026-3051
Received Received - Intake
Path Traversal in DataLinkDC dinky Project Name Handler

Publication date: 2026-02-24

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in DataLinkDC dinky up to 1.2.5. The affected element is the function getProjectDir of the file dinky-admin/src/main/java/org/dinky/utils/GitRepository.java of the component Project Name Handler. Such manipulation of the argument projectName leads to path traversal. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3051
EUVD
EUVD-2026-7443
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dinky dinky to 1.2.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3051 is a path traversal vulnerability in the DataLinkDC Dinky platform (version up to 1.2.5) affecting its Git project management functionality.'}, {'type': 'paragraph', 'content': 'The flaw exists in the function getProjectDir of the file GitRepository.java, where the projectName argument is not properly sanitized. This allows an attacker with permissions to create or edit Git projects to submit malicious project names containing path traversal sequences (e.g., "../../malicious").'}, {'type': 'paragraph', 'content': 'As a result, the system constructs file paths that escape the intended directory, enabling arbitrary file writes outside the designated folder on the server filesystem during project creation or build processes.'}, {'type': 'paragraph', 'content': 'The attack can be performed remotely by an authenticated user with Git project creation or edit permissions, without requiring user interaction.'}] [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing an attacker to write arbitrary files anywhere on the server filesystem where the Dinky application runs.

  • Confidentiality: Low risk, as attackers might read sensitive files if accessible.
  • Integrity: High risk, since attackers can overwrite or plant malicious files such as JARs, configuration files, or other critical files, potentially leading to code execution.
  • Availability: Low risk, but attackers could exhaust disk space or disrupt service availability.

Overall, the vulnerability poses a significant threat to system integrity and could be exploited to compromise the server hosting the Dinky platform.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/api/git/saveOrUpdate` containing project names with path traversal sequences such as "../../malicious".'}, {'type': 'paragraph', 'content': 'Specifically, look for authenticated users with Git project creation or edit permissions submitting payloads with crafted `name` fields that include directory traversal patterns.'}, {'type': 'paragraph', 'content': 'Example detection commands or methods include:'}, {'type': 'list_item', 'content': 'Using network traffic inspection tools (e.g., tcpdump, Wireshark) to filter HTTP POST requests to `/api/git/saveOrUpdate` and search for suspicious `name` parameters containing "../" sequences.'}, {'type': 'list_item', 'content': "Using web server logs or application logs to grep for requests with project names containing path traversal patterns, e.g., `grep -r '\\.\\./' /var/log/dinky/`."}, {'type': 'list_item', 'content': 'Checking the database table `dinky_git_project` for project names with unexpected path traversal strings.'}, {'type': 'list_item', 'content': 'Example curl command to test detection: `curl -X POST -H "Content-Type: application/json" -d \'{"name":"../../malicious","url":"https://github.com/example/project.git","branch":"main"}\' http://<target>/api/git/saveOrUpdate` and monitor if such requests appear in logs or network captures.'}] [1]

Mitigation Strategies

Immediate mitigation steps include enforcing strict input validation on project names to prevent path traversal sequences.

  • Implement regex validation to allow only alphanumeric characters, hyphens, and underscores in project names.
  • Normalize and validate file paths in the code to ensure that resolved paths do not escape the intended base directory.
  • Run the Dinky application with minimal file system privileges to limit the impact of any exploitation.
  • Monitor and restrict user permissions so that only trusted users have Git project creation or edit rights.

If possible, consider replacing or upgrading the affected component to a version where this vulnerability is fixed or applying patches that address the input validation and path normalization issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3051. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart