{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32733", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T15:02:00.627Z", "datePublished": "2026-03-20T22:37:39.365Z", "dateUpdated": "2026-03-24T02:06:30.856Z"}, "containers": {"cna": {"title": "Halloy has a file transfer path traveral vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/squidowl/halloy/security/advisories/GHSA-fqrv-rfg4-rv89", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/squidowl/halloy/security/advisories/GHSA-fqrv-rfg4-rv89"}, {"name": "https://github.com/squidowl/halloy/commit/0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6", "tags": ["x_refsource_MISC"], "url": "https://github.com/squidowl/halloy/commit/0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6"}], "affected": [{"vendor": "squidowl", "product": "halloy", "versions": [{"version": "<= 2026.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:37:39.365Z"}, "descriptions": [{"lang": "en", "value": "Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC user could send a filename with path traversal sequences like `../../.ssh/authorized_keys` and the file would be written outside the user's configured `save_directory`. With auto-accept enabled this required zero interaction from the victim. Starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, all identified code paths sanitize filenames through a shared `sanitize_filename` function."}], "source": {"advisory": "GHSA-fqrv-rfg4-rv89", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T02:05:28.617783Z", "id": "CVE-2026-32733", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T02:06:30.856Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32733", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T02:05:28.617783Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T02:06:24.819Z"}}], "cna": {"title": "Halloy has a file transfer path traveral vulnerability", "source": {"advisory": "GHSA-fqrv-rfg4-rv89", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "squidowl", "product": "halloy", "versions": [{"status": "affected", "version": "<= 2026.4"}]}], "references": [{"url": "https://github.com/squidowl/halloy/security/advisories/GHSA-fqrv-rfg4-rv89", "name": "https://github.com/squidowl/halloy/security/advisories/GHSA-fqrv-rfg4-rv89", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/squidowl/halloy/commit/0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6", "name": "https://github.com/squidowl/halloy/commit/0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC user could send a filename with path traversal sequences like `../../.ssh/authorized_keys` and the file would be written outside the user's configured `save_directory`. With auto-accept enabled this required zero interaction from the victim. Starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, all identified code paths sanitize filenames through a shared `sanitize_filename` function."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:37:39.365Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32733", "state": "PUBLISHED", "dateUpdated": "2026-03-24T02:06:30.856Z", "dateReserved": "2026-03-13T15:02:00.627Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T22:37:39.365Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:halloy:halloy:*:*:*:*:*:*:*:*", "matchCriteriaId": "EAB64661-0590-4ABE-B7BC-1D17D0681AC3", "versionEndIncluding": "2026.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC user could send a filename with path traversal sequences like `../../.ssh/authorized_keys` and the file would be written outside the user's configured `save_directory`. With auto-accept enabled this required zero interaction from the victim. Starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, all identified code paths sanitize filenames through a shared `sanitize_filename` function."}], "id": "CVE-2026-32733", "lastModified": "2026-03-23T19:21:36.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T23:16:44.703", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/squidowl/halloy/commit/0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/squidowl/halloy/security/advisories/GHSA-fqrv-rfg4-rv89"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2026.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "halloy", "source": "cna", "vendor": "squidowl"}, "product": "halloy", "vendor": "squidowl"}], "analysis": {"en": {"generated_at": "2026-03-23T20:52:17.658021+00:00", "value": {"mitigation_remediation": ["Update Halloy to a version that includes commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6 or later.", "If an update is not feasible, disable automatic DCC file acceptance or enforce manual approval of all DCC SEND requests."], "summary": {"action": "Immediate Patch", "impact": "Remote Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to all releases of Halloy before the specified commit, regardless of the operating system. Users running an older Halloy version and enabling automatic acceptance of DCC file transfers are at risk; any user who allows incoming DCC SEND requests without manual confirmation is susceptible.", "description_and_impact": "Halloy, an IRC client coded in Rust, suffered from a path traversal flaw in its DCC receive flow. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, filenames supplied by an incoming DCC SEND request were not sanitized, allowing an attacker to embed traversal characters such as ../../.ssh/authorized_keys. This weakness, classified as CWE\u201122 (Path Traversal), would cause the client to write the file outside the configured save directory, enabling overwriting of arbitrary files on the victim\u2019s file system. The impact is a remote arbitrary file write with potential to compromise confidentiality, integrity, or availability of the victim\u2019s data.", "risk_and_exploitability": "The CVSS score of 8.7 indicates high severity, while the EPSS score of less than 1\u202f% suggests low current exploitation likelihood. Halloy is not listed in the CISA KEV catalog. Exploitation requires a victim to be connected to an IRC server that can send a DCC SEND request; the attacker must craft a malicious filename. With auto\u2011accept enabled, no user interaction is required, making remote exploitation straightforward. Attackers could potentially overwrite sensitive files such as authorized_keys, leading to privilege escalation or unauthorized access."}}}}, "created": "2026-03-23T09:52:22.481746+00:00", "updated": "2026-03-25T14:34:14.734246+00:00", "vendors": ["squidowl", "squidowl$PRODUCT$halloy"]}