CVE-2026-58173
Received Received - Intake

Path Traversal in Vibe-Trading Persistent Memory Store

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description
Vibe-Trading before 0.1.10 contains a path traversal vulnerability that allows attackers to write files outside the intended memory root directory by supplying a malicious memory_type value containing path traversal sequences through the remember tool. Attackers can manipulate the memory_type parameter in the persistent memory store to cause the application to write arbitrary Markdown files to unintended locations on the filesystem.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-58173
EUVD
EUVD-2026-40354

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hkuds vibe-trading to 0.1.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Vibe-Trading versions before 0.1.10 contain a path traversal vulnerability in the remember tool. This flaw arises because the application improperly handles the memory_type parameter, allowing attackers to supply malicious path traversal sequences.

By exploiting this, attackers can cause the application to write arbitrary Markdown files outside the intended memory root directory on the filesystem, potentially placing files in unintended locations.

Impact Analysis

The vulnerability allows attackers with some level of access (low privileges) to write arbitrary Markdown files outside the designated memory directory.

This can lead to unauthorized file creation on the filesystem, which might be used to manipulate application behavior, store malicious content, or disrupt normal operations.

However, the impact is limited to file creation and does not affect frontend behavior, live trading, or API settings.

Detection Guidance

This vulnerability involves the manipulation of the memory_type parameter in the persistent memory store to write arbitrary Markdown files outside the intended directory. Detection can focus on monitoring file writes to unexpected locations or inspecting usage of the remember tool with suspicious memory_type values containing path traversal sequences such as '../'.

Suggested commands to detect potential exploitation attempts include searching for Markdown files created outside the expected memory root directory and monitoring application logs for errors related to invalid memory_type parameters.

  • Find Markdown files outside the intended directory (example path /var/vibe-trading/memory):
  • find /var/vibe-trading -type f -name '*.md' ! -path '/var/vibe-trading/memory/*'
  • Search application logs for suspicious memory_type values containing path traversal sequences:
  • grep -r '\.\./' /var/log/vibe-trading/
Mitigation Strategies

To mitigate this vulnerability, immediately upgrade Vibe-Trading to version 0.1.10 or later, where the issue has been fixed by validating the memory_type parameter against an allowlist of valid categories.

If upgrading is not immediately possible, implement input validation to reject memory_type values containing path traversal sequences or unexpected values before they reach the persistent memory store.

Additionally, monitor and restrict file system permissions to prevent unauthorized file writes outside the intended directories.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart