CVE-2026-30345 is a directory traversal vulnerability (zip slip) in the Admin import feature of CTFd v3.8.1-18-gdb5a18c4. By crafting a malicious import archive, an attacker can cause the application to write files outside the intended directory structure, potentially overwriting or adding arbitrary files on the host system. This can compromise the integrity of the system or application data. The vulnerability does not require privileges or user interaction to exploit and has a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). No patch or vendor advisory is currently available, and no exploits are known in the wild.

Successful exploitation allows an unauthenticated attacker to write arbitrary files outside the intended directories via the import functionality, potentially leading to integrity violations such as overwriting critical files or injecting malicious content. There is no reported impact on confidentiality or availability. The vulnerability could be leveraged to compromise the application or host environment integrity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the Admin import functionality to trusted users only and avoid importing untrusted or unauthenticated archives. Monitor vendor channels for updates regarding patches or mitigations.