CVE-2026-15527
Received Received - Intake

Path Traversal in Better-Auth Better-Icons

Vulnerability report for CVE-2026-15527, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A vulnerability has been found in better-auth better-icons up to 1.0.5. This vulnerability affects unknown code of the component scan_project_icons/sync_icon. Such manipulation of the argument icons_file leads to path traversal. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
better-auth better-icons to 1.0.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the better-icons MCP server up to version 1.0.5, specifically the tools scan_project_icons and sync_icon. The issue arises because these tools accept an icons_file argument without proper validation, allowing attackers to perform path traversal attacks.

The sync_icon tool is particularly dangerous because it writes generated component source code directly to the attacker-supplied icons_file path, including creating missing parent directories. It also accepts a component_name parameter that is inserted into generated source code without validation, enabling raw source code injection.

The scan_project_icons tool reads the attacker-supplied icons_file path and discloses matching icon definitions, allowing attacker-chosen file reads with pattern-based disclosure.

Overall, the vulnerability allows local attackers to read arbitrary files, write or modify files at arbitrary writable paths, and inject malicious source code due to lack of path validation, project-root confinement, extension checks, and identifier validation.

Impact Analysis

This vulnerability can have several impacts if exploited locally by an attacker:

  • Arbitrary file read: Attackers can read specific files on the system by supplying crafted paths.
  • Arbitrary file write: Attackers can create or modify files at arbitrary writable locations, potentially overwriting important files.
  • Source code injection: Attackers can inject malicious code into source files via the component_name parameter, which may execute when the victim project imports or builds the injected files.
  • Potential compromise of the victim project environment due to execution of injected malicious code.
Detection Guidance

This vulnerability involves the better-icons MCP server tools `scan_project_icons` and `sync_icon` accepting an `icons_file` argument without proper validation, leading to path traversal and potential code injection.

Detection can focus on monitoring or auditing usage of these tools, especially any invocation of `sync_icon` or `scan_project_icons` with suspicious or out-of-scope file paths in the `icons_file` argument.

Since the tools are CLI-based, you can check command history or running processes for commands like:

  • `sync_icon --icons_file <path>`
  • `scan_project_icons --icons_file <path>`

Additionally, searching for unexpected file writes or modifications outside the project root, or files containing injected source code patterns, can help detect exploitation attempts.

No specific detection commands are provided in the resources, but monitoring MCP client invocations and file system changes related to these tools is recommended.

Mitigation Strategies

Immediate mitigation steps include restricting or disabling local access to the better-icons MCP server tools `scan_project_icons` and `sync_icon` until a fix is applied.

Ensure that only trusted users can invoke these tools locally, as the attack requires local access.

Monitor and audit usage of the `icons_file` and `component_name` parameters to detect and prevent malicious input.

Apply or wait for patches that add path-safety checks, enforce project-root confinement, validate file extensions, and implement strict identifier validation for `component_name` and `icon_id`.

Until a patch is available, consider manual code review and restricting file system permissions to prevent unauthorized file writes or modifications by these tools.

Compliance Impact

The vulnerability in better-auth better-icons up to version 1.0.5 allows local attackers to perform path traversal, arbitrary file writes, and source code injection via the sync_icon and scan_project_icons tools. This can lead to unauthorized file access and execution of malicious code within the affected environment.

Such unauthorized access and potential code execution could compromise the confidentiality, integrity, and availability of data handled by the affected system. This may result in violations of data protection and security requirements mandated by standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and modification.

However, the vulnerability requires local access and exploitation through MCP clients or malicious tool invocation, which may limit the exposure depending on the deployment context and existing access controls.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15527. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart