CVE-2026-49290
Received Received - Intake
Path Traversal in Slopsmith Web Application

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: GitHub, Inc.

Description
Slopsmith is a self-contained web application for browsing, playing, and practicing Rocksmith 2014 Custom DLC (CDLC). Prior to 0.2.9-alpha.5, a path-traversal vulnerability in Slopsmith's archive extractors allows an attacker to write arbitrary files outside the extraction directory by supplying a crafted PSARC or sloppak archive. With the default Docker configuration (running as root) and the ability to drop a file into the plugin directory, this escalates to arbitrary remote code execution on the host. Three archive extractors concatenated archive-entry filenames directly onto the extraction root without validation: `lib/psarc.py::unpack_psarc` β€” PSARC TOC filenames; `lib/patcher.py::unpack_psarc` β€” duplicate of the above in the patcher flow; `lib/sloppak.py::_unpack_zip` β€” bare `ZipFile.extractall()` with no member filter. Each accepts entry names containing `..` segments, absolute paths, or backslash separators. The Python `zipfile` module's default `extractall()` is documented as not preventing traversal when callers don't supply a member-filter callback. Version 0.2.9-alpha.5 patches the issue. Until updated, do not open PSARC or sloppak archives from untrusted sources, and do not expose the Slopsmith instance to the public internet. Docker users should also pull the latest image after the next slopsmith Docker image is published.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-49290
EUVD
EUVD-2026-38056
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
byrongamatos slopsmith 0.2.9-alpha.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
CWE-36 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a path-traversal flaw in Slopsmith's archive extractors prior to version 0.2.9-alpha.5. It allows an attacker to write arbitrary files outside the intended extraction directory by supplying a specially crafted PSARC or sloppak archive. The issue arises because three archive extractors concatenate archive-entry filenames directly onto the extraction root without validating them, permitting directory traversal sequences like '..' or absolute paths. This can lead to files being placed anywhere on the host system.

When Slopsmith is run with the default Docker configuration (which runs as root) and an attacker can drop a file into the plugin directory, this vulnerability can escalate to arbitrary remote code execution on the host machine.

The vulnerability was patched in version 0.2.9-alpha.5 by adding proper validation to prevent path traversal during archive extraction.

Impact Analysis

This vulnerability can have serious impacts including unauthorized file writes outside the intended extraction directory, potentially overwriting or creating critical system files.

If the Slopsmith instance is running with default Docker settings (as root), an attacker exploiting this flaw can achieve arbitrary remote code execution on the host system, leading to full system compromise.

This means attackers could execute malicious code, install backdoors, or disrupt the normal operation of the host environment.

Detection Guidance

This vulnerability involves path traversal in archive extractors used by Slopsmith prior to version 0.2.9-alpha.5. Detection involves identifying if untrusted PSARC or sloppak archives have been extracted without validation, potentially allowing arbitrary file writes outside the intended directory.

Since Slopsmith runs inside a Docker container (often as root), monitoring file system changes in the plugin directory or extraction directories for unexpected or suspicious files can help detect exploitation attempts.

Specific commands to detect this vulnerability are not provided in the available resources. However, general approaches include:

  • Checking Docker container logs for unusual activity or errors related to archive extraction.
  • Using file integrity monitoring tools to detect unexpected file creations or modifications outside expected directories.
  • Manually inspecting extracted archive contents for files with path traversal patterns such as filenames containing '..' or absolute paths.
Compliance Impact

The vulnerability allows an attacker to write arbitrary files outside the intended extraction directory and potentially execute arbitrary remote code on the host system. This could lead to unauthorized access, data manipulation, or data breaches.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and system security.

Until the vulnerability is patched (in version 0.2.9-alpha.5), users are advised not to open archives from untrusted sources or expose the Slopsmith instance to the public internet, which are important mitigation steps to maintain compliance.

Mitigation Strategies

To mitigate this vulnerability immediately, do not open PSARC or sloppak archives from untrusted sources.

Do not expose the Slopsmith instance to the public internet until it is updated.

If you are using the Docker version of Slopsmith, avoid running the container as root or drop privileges if possible.

Once available, pull and deploy the latest Slopsmith Docker image that includes the patch (version 0.2.9-alpha.5 or later).

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49290. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart