{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6057", "assignerOrgId": "33c584b5-0579-4c06-b2a0-8d8329fcab9c", "state": "PUBLISHED", "assignerShortName": "securin", "dateReserved": "2026-04-10T00:33:01.535Z", "datePublished": "2026-04-10T09:16:30.338Z", "dateUpdated": "2026-04-10T20:25:53.551Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "33c584b5-0579-4c06-b2a0-8d8329fcab9c", "shortName": "securin", "dateUpdated": "2026-04-10T09:16:30.338Z"}, "title": "Unauthenticated Path Traversal in FalkorDB Browser Leads to Remote Code Execution", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22 Path Traversal", "type": "CWE"}]}], "affected": [{"vendor": "FalkorDB", "product": "FalkorDB Browser", "platforms": ["Linux", "64 bit", "Windows"], "versions": [{"status": "affected", "version": "1.9.3"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API that allows remote attackers to write arbitrary files and achieve remote code execution.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API that allows remote attackers to write arbitrary files and achieve remote code execution.</p>"}]}], "references": [{"url": "https://github.com/FalkorDB/falkordb-browser"}, {"url": "https://github.com/FalkorDB/falkordb-browser/pull/1611"}], "credits": [{"lang": "en", "value": "Ramesh Gunnam from Securin", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T20:24:59.231118Z", "id": "CVE-2026-6057", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:25:53.551Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6057", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-10T20:24:59.231118Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:25:10.352Z"}}], "cna": {"title": "Unauthenticated Path Traversal in FalkorDB Browser Leads to Remote Code Execution", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Ramesh Gunnam from Securin"}], "affected": [{"vendor": "FalkorDB", "product": "FalkorDB Browser", "versions": [{"status": "affected", "version": "1.9.3"}], "platforms": ["Linux", "64 bit", "Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/FalkorDB/falkordb-browser"}, {"url": "https://github.com/FalkorDB/falkordb-browser/pull/1611"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API that allows remote attackers to write arbitrary files and achieve remote code execution.", "supportingMedia": [{"type": "text/html", "value": "<p>FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API that allows remote attackers to write arbitrary files and achieve remote code execution.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Path Traversal"}]}], "providerMetadata": {"orgId": "33c584b5-0579-4c06-b2a0-8d8329fcab9c", "shortName": "securin", "dateUpdated": "2026-04-10T09:16:30.338Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6057", "state": "PUBLISHED", "dateUpdated": "2026-04-10T20:25:53.551Z", "dateReserved": "2026-04-10T00:33:01.535Z", "assignerOrgId": "33c584b5-0579-4c06-b2a0-8d8329fcab9c", "datePublished": "2026-04-10T09:16:30.338Z", "assignerShortName": "securin"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API that allows remote attackers to write arbitrary files and achieve remote code execution."}], "id": "CVE-2026-6057", "lastModified": "2026-05-19T15:35:04.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-10T10:16:04.547", "references": [{"source": "33c584b5-0579-4c06-b2a0-8d8329fcab9c", "url": "https://github.com/FalkorDB/falkordb-browser"}, {"source": "33c584b5-0579-4c06-b2a0-8d8329fcab9c", "url": "https://github.com/FalkorDB/falkordb-browser/pull/1611"}], "sourceIdentifier": "33c584b5-0579-4c06-b2a0-8d8329fcab9c", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "33c584b5-0579-4c06-b2a0-8d8329fcab9c", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux", "64_bit", "windows"], "status": "affected", "versions": {"scheme": "semver", "value": "1.9.3"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "FalkorDB Browser", "source": "cna", "vendor": "FalkorDB"}, "product": "falkordb_browser", "vendor": "falkordb"}], "analysis": {"en": {"generated_at": "2026-04-10T22:36:15.163774+00:00", "value": {"mitigation_remediation": ["Upgrade FalkorDB Browser to a patched version (at least 1.9.4).", "If an immediate upgrade is not possible, restrict the file upload API to authenticated users only and constrain acceptable file paths and types.", "Continuously monitor upload activity for suspicious patterns and block malicious files, and consult FalkorDB for any forthcoming fixes."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects FalkorDB Browser version 1.9.3, as supplied by FalkorDB. No other versions or additional products were listed, so only installations of this exact version are susceptible.", "description_and_impact": "FalkorDB Browser 1.9.3 contains an unauthenticated path traversal flaw in its file upload API, allowing an attacker to write arbitrary files to the server\u2019s file system and thereby execute code remotely. The vulnerability is a classic example of the \"Path Traversal\" weakness (CWE\u201122). The impact is the complete compromise of confidentiality, integrity, and availability by enabling arbitrary code execution on the host running FalkorDB Browser.", "risk_and_exploitability": "With a CVSS score of 9.8 the issue is considered Critical. The EPSS score is below 1%, indicating low expected exploitation frequency, and it is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated HTTP request to the file upload endpoint, exploiting directory traversal to write a malicious file that can then be executed. The requirement for authentication is absent, so any network\u2011reachable user can trigger the flaw if the API is exposed."}}}}, "created": "2026-04-10T14:40:49.982090+00:00", "updated": "2026-04-13T13:06:13.326406+00:00", "vendors": ["falkordb", "falkordb$PRODUCT$falkordb_browser"]}