CVE Catalog

CVE-2026-37531

Critical
Published: Translated: NVD NIST

Summary

The AGL app framework in versions up to 17.1.12 contains a Zip Slip vulnerability allowing path traversal and a TOCTOU race condition in the widget installation process. The is_valid_filename function does not check for dot notation directory traversal sequences, allowing files to be written anywhere on the filesystem.

Risk Assessment

This vulnerability could lead to unauthorized access to the filesystem, posing a serious threat to the integrity and confidentiality of data within the organization.

Recommendation

It is recommended to update the AGL framework to the latest version that addresses this vulnerability and to implement additional path verification mechanisms before writing files.

Original NVD description (English source)

AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-367) in the widget installation flow. The is_valid_filename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot notation directory traversal sequences it only blocks absolute paths. The zread extraction function uses openat(workdirfd, filename, O_CREAT) which resolves dot notation values relative to the work directory, allowing files to be written anywhere on the filesystem. Critically, in function install_widget in file wgtpkg-install.c, extraction via zread occurs BEFORE signature verification via check_all_signatures. Even if signature verification fails, the error cleanup (remove_workdir) only deletes the temporary work directory files written outside via path traversal persist permanently.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS