CVE-2026-55201
Received Received - Intake
Path Traversal in Evil-WinRM Client

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: VulnCheck

Description
Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the download_dir() function that allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames with traversal sequences from Get-ChildItem command output that are passed unsanitized to File.join(). Attackers controlling the remote server can exploit this to overwrite sensitive client-side files such as SSH authorized_keys or shell configuration files, achieving persistent access or privilege escalation on the client machine.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-55201
EUVD
EUVD-2026-37785
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
evil_winrm evil_winrm to 3.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-55201 is a path traversal vulnerability in Evil-WinRM through version 3.9, specifically in the download_dir() function. This flaw allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames containing traversal sequences from the Get-ChildItem command output. These filenames are passed without proper sanitization to File.join(), enabling attackers controlling the remote server to overwrite sensitive client-side files.

By exploiting this vulnerability, attackers can overwrite important files such as SSH authorized_keys or shell configuration files on the client machine, which can lead to persistent access or privilege escalation.

Impact Analysis

This vulnerability can have serious impacts including unauthorized modification of sensitive client-side files. Attackers can gain persistent access or escalate privileges on the client machine by overwriting files like SSH authorized_keys or shell configuration files.

Such unauthorized access or privilege escalation can compromise the security and integrity of the affected system, potentially leading to further exploitation or data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55201. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart