216.73.217.176

CVE-2026-32733

· Published 20/03/2026 23:16 · Modified 20/03/2026 23:16

Labels: CVE-2026-32733 2026-03-20CVE-2026-32733CWE-22[email protected]

Essential information

Published
20/03/2026 23:16
Modified
20/03/2026 23:16
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC user could send a filename with path traversal sequences like `../../.ssh/authorized_keys` and the file would be written outside the user's configured `save_directory`. With auto-accept enabled this required zero interaction from the victim. Starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, all identified code paths sanitize filenames through a shared `sanitize_filename` function.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
halloy / halloy cpe:2.3:a:halloy:halloy:*:*:*:*:*:*:*:*

References