{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33344", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.813Z", "datePublished": "2026-03-24T19:23:56.617Z", "dateUpdated": "2026-03-24T19:57:38.816Z"}, "containers": {"cna": {"title": "Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dagu-org/dagu/security/advisories/GHSA-ph8x-4jfv-v9v8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-ph8x-4jfv-v9v8"}, {"name": "https://github.com/dagu-org/dagu/commit/7d07fda8f9de3ae73dfb081ccd0639f8059c56bb", "tags": ["x_refsource_MISC"], "url": "https://github.com/dagu-org/dagu/commit/7d07fda8f9de3ae73dfb081ccd0639f8059c56bb"}], "affected": [{"vendor": "dagu-org", "product": "dagu", "versions": [{"version": ">= 2.0.0, < 2.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:23:56.617Z"}, "descriptions": [{"lang": "en", "value": "Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1."}], "source": {"advisory": "GHSA-ph8x-4jfv-v9v8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T19:48:53.736104Z", "id": "CVE-2026-33344", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T19:57:38.816Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33344", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T19:48:53.736104Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T19:57:31.699Z"}}], "cna": {"title": "Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG", "source": {"advisory": "GHSA-ph8x-4jfv-v9v8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dagu-org", "product": "dagu", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.3.1"}]}], "references": [{"url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-ph8x-4jfv-v9v8", "name": "https://github.com/dagu-org/dagu/security/advisories/GHSA-ph8x-4jfv-v9v8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dagu-org/dagu/commit/7d07fda8f9de3ae73dfb081ccd0639f8059c56bb", "name": "https://github.com/dagu-org/dagu/commit/7d07fda8f9de3ae73dfb081ccd0639f8059c56bb", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:23:56.617Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33344", "state": "PUBLISHED", "dateUpdated": "2026-03-24T19:57:38.816Z", "dateReserved": "2026-03-18T22:15:11.813Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T19:23:56.617Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dagu:dagu:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA816FA1-28C8-423D-9509-4299AA991660", "versionEndExcluding": "2.3.1", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1."}], "id": "CVE-2026-33344", "lastModified": "2026-03-26T13:03:13.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:28.910", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dagu-org/dagu/commit/7d07fda8f9de3ae73dfb081ccd0639f8059c56bb"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-ph8x-4jfv-v9v8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.3.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "dagu", "source": "cna", "vendor": "dagu-org"}, "product": "dagu", "vendor": "dagu-org"}], "analysis": {"en": {"generated_at": "2026-03-26T15:23:47.919546+00:00", "value": {"mitigation_remediation": ["Apply a patch or upgrade to Dagu version 2.3.1 or later"], "summary": {"action": "Apply Patch", "impact": "Path traversal via encoded slashes allowing unauthorized file access"}, "threat_synthesis": {"affected_systems": "The affected product is Dagu, a workflow engine with a web interface, provided by the vendor dagu-org. Versions from 2.0.0 up to, but not including, 2.3.1 are vulnerable. Version 2.3.1 and later include a fix that ensures the file name is validated before use.", "description_and_impact": "The vulnerability arises because Dagu\u2019s API endpoints for getting, deleting, renaming, and executing DAGs pass the {fileName} URL path parameter directly to the locateDAG function without validating the name. When a user supplies a %2F-encoded forward slash in this segment, the path resolution can step outside the intended DAGs directory. This flaw permits an attacker to read or manipulate files that are stored outside the DAG workspace, potentially exposing sensitive data or enabling further compromise. The weakness is clearly a path traversal flaw, classified as CWE-22, which directly compromises the confidentiality and integrity of the underlying file system. The impact can be significant, especially if the application runs with elevated privileges or if critical configuration files are reachable.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, via the exposed HTTP API, as the flaw is triggered by passing a specially crafted URL segment. An attacker can exploit this by constructing a URL that contains %2F-encoded slashes to traverse directories and access unauthorized files on the server."}}}}, "created": "2026-03-25T11:46:16.744709+00:00", "updated": "2026-03-27T09:20:36.296826+00:00", "vendors": ["dagu-org", "dagu-org$PRODUCT$dagu"]}