{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28676", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-02T21:43:19.926Z", "datePublished": "2026-03-06T04:23:12.727Z", "dateUpdated": "2026-03-09T19:48:27.645Z"}, "containers": {"cna": {"title": "OpenSift: Insufficient path containment checks in storage helpers could allow path traversal-style file operations", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenSift/OpenSift/security/advisories/GHSA-ww4m-c7hv-2rqv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenSift/OpenSift/security/advisories/GHSA-ww4m-c7hv-2rqv"}, {"name": "https://github.com/OpenSift/OpenSift/pull/67", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenSift/OpenSift/pull/67"}, {"name": "https://github.com/OpenSift/OpenSift/commit/1126e0a503876056a68a434e19f64158a5a4840b", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenSift/OpenSift/commit/1126e0a503876056a68a434e19f64158a5a4840b"}, {"name": "https://github.com/OpenSift/OpenSift/commit/de99b9c", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenSift/OpenSift/commit/de99b9c"}, {"name": "https://github.com/OpenSift/OpenSift/releases/tag/v1.6.3-alpha", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenSift/OpenSift/releases/tag/v1.6.3-alpha"}], "affected": [{"vendor": "OpenSift", "product": "OpenSift", "versions": [{"version": "< 1.6.3-alpha", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:23:12.727Z"}, "descriptions": [{"lang": "en", "value": "OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, multiple storage helpers used path construction patterns that did not uniformly enforce base-directory containment. This created path-injection risk in file read/write/delete flows if malicious path-like values were introduced. This issue has been patched in version 1.6.3-alpha."}], "source": {"advisory": "GHSA-ww4m-c7hv-2rqv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T19:48:09.897561Z", "id": "CVE-2026-28676", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:48:27.645Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28676", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T19:48:09.897561Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:48:16.112Z"}}], "cna": {"title": "OpenSift: Insufficient path containment checks in storage helpers could allow path traversal-style file operations", "source": {"advisory": "GHSA-ww4m-c7hv-2rqv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OpenSift", "product": "OpenSift", "versions": [{"status": "affected", "version": "< 1.6.3-alpha"}]}], "references": [{"url": "https://github.com/OpenSift/OpenSift/security/advisories/GHSA-ww4m-c7hv-2rqv", "name": "https://github.com/OpenSift/OpenSift/security/advisories/GHSA-ww4m-c7hv-2rqv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OpenSift/OpenSift/pull/67", "name": "https://github.com/OpenSift/OpenSift/pull/67", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OpenSift/OpenSift/commit/1126e0a503876056a68a434e19f64158a5a4840b", "name": "https://github.com/OpenSift/OpenSift/commit/1126e0a503876056a68a434e19f64158a5a4840b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OpenSift/OpenSift/commit/de99b9c", "name": "https://github.com/OpenSift/OpenSift/commit/de99b9c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OpenSift/OpenSift/releases/tag/v1.6.3-alpha", "name": "https://github.com/OpenSift/OpenSift/releases/tag/v1.6.3-alpha", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, multiple storage helpers used path construction patterns that did not uniformly enforce base-directory containment. This created path-injection risk in file read/write/delete flows if malicious path-like values were introduced. This issue has been patched in version 1.6.3-alpha."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:23:12.727Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28676", "state": "PUBLISHED", "dateUpdated": "2026-03-09T19:48:27.645Z", "dateReserved": "2026-03-02T21:43:19.926Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T04:23:12.727Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensift:opensift:*:*:*:*:*:python:*:*", "matchCriteriaId": "D1037E2F-1527-4C09-8D8D-78E56E6DDC78", "versionEndExcluding": "1.6.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, multiple storage helpers used path construction patterns that did not uniformly enforce base-directory containment. This created path-injection risk in file read/write/delete flows if malicious path-like values were introduced. This issue has been patched in version 1.6.3-alpha."}, {"lang": "es", "value": "OpenSift es una herramienta de estudio de IA que tamiza grandes conjuntos de datos utilizando b\u00fasqueda sem\u00e1ntica e IA generativa. Antes de la versi\u00f3n 1.6.3-alpha, m\u00faltiples asistentes de almacenamiento utilizaban patrones de construcci\u00f3n de rutas que no aplicaban uniformemente la contenci\u00f3n del directorio base. Esto creaba riesgo de inyecci\u00f3n de rutas en los flujos de lectura/escritura/eliminaci\u00f3n de archivos si se introduc\u00edan valores maliciosos similares a rutas. Este problema ha sido parcheado en la versi\u00f3n 1.6.3-alpha."}], "id": "CVE-2026-28676", "lastModified": "2026-03-18T13:02:04.840", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-06T05:16:36.270", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/OpenSift/OpenSift/commit/1126e0a503876056a68a434e19f64158a5a4840b"}, {"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/OpenSift/OpenSift/commit/de99b9c"}, {"source": "[email protected]", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/OpenSift/OpenSift/pull/67"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/OpenSift/OpenSift/releases/tag/v1.6.3-alpha"}, {"source": "[email protected]", "tags": ["Vendor Advisory", "Patch"], "url": "https://github.com/OpenSift/OpenSift/security/advisories/GHSA-ww4m-c7hv-2rqv"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.3-alpha)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenSift", "source": "cna", "vendor": "OpenSift"}, "product": "opensift", "vendor": "opensift"}], "created": "2026-03-06T14:55:52.217584+00:00", "updated": "2026-03-06T14:55:52.217715+00:00", "vendors": ["opensift", "opensift$PRODUCT$opensift"]}