{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33166", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.888Z", "datePublished": "2026-03-20T21:38:23.475Z", "dateUpdated": "2026-03-24T02:04:09.955Z"}, "containers": {"cna": {"title": "Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers)", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/allure-framework/allure2/security/advisories/GHSA-64hm-gfwq-jppw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/allure-framework/allure2/security/advisories/GHSA-64hm-gfwq-jppw"}], "affected": [{"vendor": "allure-framework", "product": "allure2", "versions": [{"version": "< 2.38.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T21:38:23.475Z"}, "descriptions": [{"lang": "en", "value": "Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report. Version 2.38.0 fixes the issue."}], "source": {"advisory": "GHSA-64hm-gfwq-jppw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T02:03:48.497897Z", "id": "CVE-2026-33166", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T02:04:09.955Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33166", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T02:03:48.497897Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T02:04:06.012Z"}}], "cna": {"title": "Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers)", "source": {"advisory": "GHSA-64hm-gfwq-jppw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "allure-framework", "product": "allure2", "versions": [{"status": "affected", "version": "< 2.38.0"}]}], "references": [{"url": "https://github.com/allure-framework/allure2/security/advisories/GHSA-64hm-gfwq-jppw", "name": "https://github.com/allure-framework/allure2/security/advisories/GHSA-64hm-gfwq-jppw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report. Version 2.38.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T21:38:23.475Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33166", "state": "PUBLISHED", "dateUpdated": "2026-03-24T02:04:09.955Z", "dateReserved": "2026-03-17T21:17:08.888Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T21:38:23.475Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qameta:allure_report:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7150AE8-CD9B-414E-9DAB-93F8466BEED6", "versionEndExcluding": "2.38.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report. Version 2.38.0 fixes the issue."}, {"lang": "es", "value": "Allure 2 es la rama 2.x de Allure Report, una herramienta de informes de pruebas multilenguaje. El generador de informes de Allure anterior a la versi\u00f3n 2.38.0 es vulnerable a una lectura de archivo arbitraria mediante salto de ruta al procesar los resultados de las pruebas. Un atacante puede crear un archivo de resultados malicioso (-result.json, -container.json o .plist) que apunte una fuente de adjunto a un archivo sensible en el sistema anfitri\u00f3n. Durante la generaci\u00f3n del informe, Allure resolver\u00e1 estas rutas e incluir\u00e1 los archivos sensibles en el informe final. La versi\u00f3n 2.38.0 corrige el problema."}], "id": "CVE-2026-33166", "lastModified": "2026-04-14T18:42:27.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T22:16:28.660", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/allure-framework/allure2/security/advisories/GHSA-64hm-gfwq-jppw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.38.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "allure2", "source": "cna", "vendor": "allure-framework"}, "product": "allure2", "vendor": "allure-framework"}], "analysis": {"en": {"generated_at": "2026-04-14T21:49:09.780834+00:00", "value": {"mitigation_remediation": ["Upgrade Allure Report to version 2.38.0 or later.", "If an upgrade is not immediately possible, validate and sanitize incoming test result files before they are processed.", "Restrict file\u2011system permissions for the user running the Allure report generator to limit access to sensitive files.", "Monitor generated reports for unexpected inclusion of sensitive data that may indicate exploitation attempts."], "summary": {"action": "Patch", "impact": "Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "The flaw affects the Allure Report tool across its 1.x and 2.x branches, including the XCTest Reader component. Any installation of Allure Report before version 2.38.0 is vulnerable. The issue is identified by the Allure Framework for Allure Report products.", "description_and_impact": "Allure Report versions prior to 2.38.0 allow an attacker to read arbitrary files on the host system by injecting path traversal sequences into the attachment source field of test result files. During report generation, the tool resolves these paths and copies the referenced files into the final report, thereby exposing confidential data. This vulnerability is a classic path traversal flaw (CWE-22).", "risk_and_exploitability": "The CVSS score of 8.6 indicates high severity, while the EPSS score below 1\u202f% suggests that exploitation is currently uncommon, and the vulnerability is not included in the CISA KEV catalog. An attacker must supply a crafted test result file; the vulnerability is triggered during report generation and can read any file accessible to the process, potentially exposing sensitive configuration or secret files."}}}}, "created": "2026-03-23T09:52:35.714227+00:00", "updated": "2026-04-15T16:45:09.807287+00:00", "vendors": ["allure-framework", "allure-framework$PRODUCT$allure2"]}