CVE-2026-44933
Deferred Deferred - Pending Action
Path Traversal in PluginScript

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: SUSE

Description
`PluginScript` attempts to `chroot` the plugin to the `repoManagerRoot`, this root is frequently `/` (the system root) in standard configurations or when using `--root`. If the chroot target is `/`, it is a no-op, allowing the traversed path to execute host binaries (like `/bin/bash`) with root privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-44933
EUVD
EUVD-2026-31074
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-35 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability occurs in PluginScript when it attempts to chroot the plugin to the repoManagerRoot directory. In many standard configurations or when using the --root option, this root directory is set to the system root (/). When the chroot target is /, the chroot operation effectively does nothing (a no-op). This allows an attacker to traverse paths and execute host binaries, such as /bin/bash, with root privileges.

Impact Analysis

This vulnerability can allow an attacker to execute host system binaries with root privileges. Because the chroot operation is ineffective when targeting the system root, an attacker could gain unauthorized root-level access to the system, potentially leading to full system compromise.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44933. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart