CVE-2026-37531 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: May 1, 2026
AGL app-framework-main - Path Traversal & TOCTOU Race Condition
Published: May 1, 2026Updated: May 1, 2026Remote Exploitable
Overview
AGL app-framework-main thru 17.1.12 contains a path traversal combined with a TOCTOU race condition caused by improper validation of ZIP entry names and extraction order in widget installation flow, letting attackers write files anywhere on the filesystem before signature verification, exploit requires crafted malicious ZIP files.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers can write arbitrary files anywhere on the filesystem, potentially leading to code execution or system compromise.
Mitigation
Update to a version that performs signature verification before extraction and properly validates ZIP entry names, or upgrade to the latest version.
References
Related Resources
Details
- CVE ID
- CVE-2026-37531
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- path_traversal
- Status
- new
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H