CVE Catalog

CVE-2026-58171

MediumCVSS 4.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

17th percentile — higher than 17% of all known CVEs

Summary

A vulnerability in Vibe-Trading before version 0.1.10 allows reading and overwriting run.json files outside the runs directory. An attacker can exploit a crafted run identifier supplied via MCP swarm tools, leading to data confidentiality and integrity breaches.

Risk Assessment

The organization is at risk of sensitive data leakage from run.json files and unauthorized modification, which could disrupt system operations or enable further attacks.

Recommendation

Immediately update Vibe-Trading to version 0.1.10 or later, which includes a fix for run identifier validation.

Original NVD description (English source)

Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in run_dir (agent/src/swarm/store.py). A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary run.json files outside the runs directory and to overwrite existing run.json files at traversed locations.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS