{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21878", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T17:24:36.928Z", "datePublished": "2026-02-13T18:10:26.325Z", "dateUpdated": "2026-02-13T18:53:59.648Z"}, "containers": {"cna": {"title": "BACnet Stack Improperly Limits Pathnames to a Restricted Directory", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j"}, {"name": "https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3", "tags": ["x_refsource_MISC"], "url": "https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3"}], "affected": [{"vendor": "bacnet-stack", "product": "bacnet-stack", "versions": [{"version": "< 1.5.0.rc3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-13T18:10:26.325Z"}, "descriptions": [{"lang": "en", "value": "BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3."}], "source": {"advisory": "GHSA-p8rx-c26w-545j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-13T18:53:41.608462Z", "id": "CVE-2026-21878", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T18:53:59.648Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21878", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-13T18:53:41.608462Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T18:53:52.251Z"}}], "cna": {"title": "BACnet Stack Improperly Limits Pathnames to a Restricted Directory", "source": {"advisory": "GHSA-p8rx-c26w-545j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "bacnet-stack", "product": "bacnet-stack", "versions": [{"status": "affected", "version": "< 1.5.0.rc3"}]}], "references": [{"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j", "name": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3", "name": "https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-13T18:10:26.325Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21878", "state": "PUBLISHED", "dateUpdated": "2026-02-13T18:53:59.648Z", "dateReserved": "2026-01-05T17:24:36.928Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-13T18:10:26.325Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "2B47182E-6B7F-4C53-904A-EB37C9C0A439", "vulnerable": true}, {"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "CF491863-1A31-4A23-A6AC-DF7545FCAA48", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3."}], "id": "CVE-2026-21878", "lastModified": "2026-02-18T18:49:16.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-13T19:17:28.650", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.0.rc3)"}}], "product": "bacnet_stack", "vendor": "bacnetstack"}], "analysis": {"en": {"generated_at": "2026-04-17T19:50:57.382504+00:00", "value": {"mitigation_remediation": ["Upgrade BACnet Stack to version 1.5.0 rc3 or later to apply the vendor patch that validates file paths", "If upgrading is not immediately possible, disable or restrict the file\u2011write functionality in the application or remove the components (apps/readfile/main.c and ports/posix/bacfile\u2011posix.c) that expose the vulnerability", "Set strict filesystem permissions on the target device so that the BACnet process runs with the minimum privileges required, preventing arbitrary file modifications"], "summary": {"action": "Patch Now", "impact": "Arbitrary file write on BACnet devices"}, "threat_synthesis": {"affected_systems": "The affected product is the BACnet Stack library from the bacnet-stack project. Versions 1.5.0 rc1 and rc2 are vulnerable; the issue is resolved in 1.5.0 rc3 and later releases. The flaw is relevant to embedded systems that use the BACnet protocol stack for building automation, HVAC, and related industrial control settings.", "description_and_impact": "BACnet Stack\u2019s file\u2011writing functions fail to validate user\u2011supplied file paths, permitting attackers to write files to any filesystem location. This flaw is a classic example of an uncontrolled path traversal (CWE\u201122) that can compromise confidentiality, integrity, or availability if critical files are altered or malicious payloads are deployed. The vulnerability is present in the libraries used by apps/readfile/main.c and ports/posix/bacfile\u2011posix.c, allowing write operations without directory restriction.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% reflects a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but the potential impact of uncontrolled file writes is significant. The likely attack vector is an adversary that can invoke the BACnet stack\u2019s file writing interface\u2014either remotely or locally\u2014together with any utility that specifies file paths. Successful exploitation would allow an attacker to create, modify, or delete files anywhere on the device\u2019s filesystem."}}}}, "created": "2026-02-13T21:28:30.972312+00:00", "updated": "2026-04-17T20:00:09.013567+00:00", "vendors": ["bacnetstack", "bacnetstack$PRODUCT$bacnet_stack"]}