CVE-2026-32709 - Vulnerability Analysis
MediumCVSS: 5.4Last Updated: March 16, 2026
PX4 autopilot - Path Traversal
Published: March 16, 2026Updated: March 16, 2026PoC Available
Overview
PX4 autopilot < 1.17.0-rc2 contains a path traversal vulnerability caused by improper validation in MAVLink FTP implementation, letting unauthenticated MAVLink peers read, write, create, delete, and rename arbitrary files, exploit requires no authentication.
Severity & Score
Severity: Medium
CVSS Score: 5.4
Impact
Unauthenticated attackers can fully manipulate files on the flight controller filesystem, potentially compromising the system.
Mitigation
Update to version 1.17.0-rc2 or later.
Related Resources
Details
- CVE ID
- CVE-2026-32709
- Severity
- Medium
- CVSS Score
- 5.4
- Type
- path_traversal
- Status
- confirmed
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N