LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-43989

CVE-2026-43989 - Vulnerability Analysis

HighCVSS: 8.5

Last Updated: May 12, 2026

JunoClaw - Unrestricted File Upload

Published: May 12, 2026Updated: May 12, 2026

Overview

JunoClaw < 0.x.y-security-1 contains an unrestricted file upload caused by lack of validation on filesystem path input in upload_wasm MCP tool, letting attackers upload arbitrary files, exploit requires no special privileges.

Severity & Score

Severity: High
CVSS Score: 8.5
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can upload arbitrary files, potentially leading to code execution or system compromise.

Mitigation

Update to version 0.x.y-security-1 or later.

References

Social Media Activity(4 posts)

TheHackerWire
TheHackerWire
@thehackerwire
May 12, 2026

šŸŸ  CVE-2026-43989 - High (8.5) JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the upload_wasm MCP tool accepted a filesystem path from the agent and uploaded whatever bytes the path resolved to, with no validation of location, symlink targe... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-43989/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
May 12, 2026

šŸŸ  CVE-2026-43989 - High (8.5) JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the upload_wasm MCP tool accepted a filesystem path from the agent and uploaded whatever bytes the path resolved to, with no validation of location, symlink targe... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-43989/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
May 12, 2026

šŸŸ  CVE-2026-43989 - High (8.5) JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the upload_wasm MCP tool accepted a filesystem path from the agent and uploaded whatever bytes the path resolved to, with no validation of location, symlink targe... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-43989/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
May 12, 2026

šŸŸ  CVE-2026-43989 - High (8.5) JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the upload_wasm MCP tool accepted a filesystem path from the agent and uploaded whatever bytes the path resolved to, with no validation of location, symlink targe... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-43989/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-43989
Severity
High
CVSS Score
8.5
Type
unrestricted_file_upload
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-20

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

EPSS Score

0.0%Probability of exploitation in the next 30 days