5.3
CVE-2026-21851
- EPSS 0.31%
- Veröffentlicht 07.01.2026 22:27:19
- Zuletzt bearbeitet 02.02.2026 15:13:47
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginMONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download
MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal (Zip Slip) vulnerability exists in MONAI's `_download_from_ngc_private()` function. The function uses `zipfile.ZipFile.extractall()` without path validation, while other similar download functions in the same codebase properly use the existing `safe_extract_member()` function. Commit 4014c8475626f20f158921ae0cf98ed259ae4d59 fixes this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Project-monai ≫ Monai Version <= 1.5.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.31% | 0.226 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-9rg3-9pvr-6p27
https://github.com/Project-MONAI/MONAI/commit/4014c8475626f20f158921ae0cf98ed259ae4d59