Home / Vulnerability Intelligence / CVE-2026-27969

CVE-2026-27969 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: February 27, 2026

Vitess - Path Traversal

Published: February 26, 2026Updated: February 27, 2026Remote Exploitable

Overview

Vitess < 23.0.3 and < 22.0.4 contains a path traversal caused by manipulation of backup manifest files in backup storage, letting attackers with read/write access to backup storage write files to arbitrary locations on restore, exploit requires read/write access to backup storage.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 3.7%(Probability of exploitation in next 30 days)

Impact

Attackers can write files to arbitrary locations and execute arbitrary commands, leading to unauthorized access and control over the production environment.

Mitigation

Update to versions 23.0.3 or 22.0.4 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 28, 2026

🟠 CVE-2026-27969 - High (8.8) Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27969/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-27969
Severity: High
CVSS Score: 8.8
Type: path_traversal
Status: confirmed
EPSS: 3.7%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.7%Probability of exploitation in the next 30 days