Critical Vulnerability Information Vulnerability Overview Vulnerability Type: Arbitrary file upload vulnerability caused by path traversal. Affected Package: Affected Versions: Gin-vue-admin <= v2.8.7 Fixed Version: None Severity CVSS Score: High CVE ID: CVE-2026-22786 Weakness Type: CWE-24, CWE-434 Impact Description: Due to a path traversal vulnerability in the resume upload functionality, attackers can upload arbitrary files to any directory. Specific Impact: - Path Traversal: Attackers can access or write files outside the intended directories of the application. - Exploitation Method: Exploits the function in , which directly concatenates the filename with the base directory path via the API endpoint, without any validation. - Permissions: Attackers with file upload permissions (e.g., role ID 888 - Super Admin) can exploit this vulnerability. Consequences: - Arbitrary file creation, interference with application processes, overwriting configuration files, potential remote code execution, etc. Proof of Concept (POC) Steps: 1. Upload various files using a specific endpoint. 2. Use to traverse to any desired path. 3. Detailed HTTP request examples and server logs are provided, demonstrating successful file writing to a predefined path. Remediation Patch: Please wait for the official latest patch release. Reference Links Project GitHub Link