CVE-2026-30345 is a directory traversal vulnerability commonly known as a zip slip, affecting the Admin import functionality of CTFd version 3.8.1-18-gdb5a18c4. The vulnerability arises because the import feature does not properly sanitize or validate the paths of files contained within a zip archive supplied by an attacker. By crafting a malicious zip archive with specially designed file paths containing directory traversal sequences (e.g., ../), an attacker with access to the import functionality can cause the application to write files outside the intended import directory. This can lead to arbitrary file write on the server’s filesystem, potentially overwriting critical files or placing malicious scripts that could be executed later. Although exploitation requires administrative privileges to access the import feature, the impact can be severe, including remote code execution or persistent backdoors. No CVSS score has been assigned yet, and no official patches or mitigations have been published at the time of disclosure. The vulnerability is currently not known to be exploited in the wild, but the nature of zip slip vulnerabilities makes it a critical risk once discovered. The lack of path sanitization in file extraction is a common security oversight, emphasizing the need for secure handling of archive imports in web applications.

The primary impact of this vulnerability is the unauthorized writing of arbitrary files outside the intended directory on the server hosting CTFd. This can compromise the confidentiality and integrity of the system by allowing attackers to overwrite configuration files, deploy web shells, or insert malicious code. If exploited, it could lead to remote code execution, privilege escalation, or persistent backdoors, severely affecting the availability and trustworthiness of the affected system. Organizations relying on CTFd for cybersecurity training, capture-the-flag competitions, or educational purposes could face service disruption, data breaches, or reputational damage. Since the vulnerability requires admin-level access, the risk is heightened if admin credentials are compromised or if insider threats exist. The absence of patches increases exposure time, and the vulnerability could be leveraged in targeted attacks against organizations heavily using CTFd platforms.

1. Immediately restrict access to the Admin import functionality to trusted administrators only and monitor usage closely. 2. Implement strict input validation and sanitization on all file paths extracted from imported zip archives to prevent directory traversal sequences. 3. Use secure libraries or functions that automatically prevent zip slip vulnerabilities by validating extraction paths against the intended directory. 4. Employ file system permissions that limit the write scope of the application user to only necessary directories, minimizing potential damage from arbitrary writes. 5. Monitor file system changes and audit logs for unusual file creation or modification events outside expected directories. 6. If possible, disable the import functionality temporarily until a patch or official fix is released. 7. Educate administrators on the risks of importing untrusted files and enforce strong credential management to prevent unauthorized admin access. 8. Stay updated with CTFd vendor announcements for patches addressing this vulnerability and apply them promptly once available.