CVE-2026-41046
Received Received - Intake
Path Traversal in qSnapper Before Version 1.3.3

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: SUSE

Description
A path traversal attack when using a "configName" parameter in qSnapper before version 1.3.3 allowed a local attacker to use malicious config files for snapper and so cause a denial of service or potentially escalate privileges to root.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-41046
EUVD
EUVD-2026-38263
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41046 is a path traversal vulnerability in the qsnapper software, specifically in the GetFileDiffAndDetails method. This method can be accessed by local interactive users without password authentication. The vulnerability occurs because the configName parameter can include slashes and ".." path components, allowing an attacker to select arbitrary files as configuration files for libsnapper.

This can lead to a major local information leak, a denial of service (DoS), or potentially escalate privileges to root.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can impact you by allowing a local attacker to cause a denial of service (DoS) on the affected system.

Additionally, it may enable an attacker to escalate their privileges to root, which would give them full control over the system.

It can also lead to a significant local information leak by accessing arbitrary configuration files.

Detection Guidance

This vulnerability affects the qsnapper software, specifically the `GetFileDiffAndDetails` method that uses the `configName` parameter. Detection involves checking if your system is running a vulnerable version of qsnapper (prior to 1.3.3) and monitoring for usage of the `GetFileDiffAndDetails` method with suspicious `configName` parameters containing path traversal sequences such as slashes and "..".

Since the vulnerability is local and involves path traversal in a parameter, you can detect attempts by auditing local command usage or scripts invoking qsnapper with unusual configName values.

Suggested commands to detect vulnerable versions and suspicious activity include:

  • Check qsnapper version: `qsnapper --version` or `rpm -q qsnapper`
  • Search for qsnapper processes or commands using suspicious configName parameters in shell history or process lists.
  • Audit system logs for errors or crashes related to qsnapper that might indicate exploitation attempts.
Mitigation Strategies

The primary mitigation step is to upgrade qsnapper to version 1.3.3 or later, where this path traversal vulnerability has been fixed.

Until the upgrade can be applied, restrict local user access to qsnapper to trusted users only, as the vulnerability requires local access.

Monitor and audit usage of qsnapper, especially the `GetFileDiffAndDetails` method, to detect and prevent exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41046. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart