CVE Catalog

CVE-2026-12568

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

The postman_download module uses the workspace name field from the Postman API to construct the local directory path without sanitization. A malicious workspace with a name containing path traversal characters may allow an attacker to write arbitrary files to the user's system.

Risk Assessment

An attacker could exploit this vulnerability to write malicious files to the system, potentially leading to further attacks or data compromise.

Recommendation

It is recommended to implement sanitization of workspace names before using them to construct directory paths and to monitor the system for unauthorized files.

Original NVD description (English source)

The postman_download module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker to write arbitrary files to the user's system.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS