CVE-2026-3051 is a path traversal vulnerability identified in the DataLinkDC dinky software, specifically affecting versions 1.2.0 through 1.2.5. The flaw resides in the getProjectDir function within the dinky-admin/src/main/java/org/dinky/utils/GitRepository.java file, part of the Project Name Handler component. This function improperly sanitizes the projectName input parameter, allowing an attacker to craft malicious input that traverses directory paths outside the intended project directory. By exploiting this, an attacker can remotely access arbitrary files on the server's filesystem, potentially reading sensitive configuration files, source code, or other critical data. The vulnerability requires no authentication or user interaction, making it easier to exploit. The vendor was notified early but has not issued any patches or advisories. The vulnerability has been publicly disclosed with exploit details, although no active exploitation in the wild has been confirmed. The CVSS 4.0 base score is 5.3, indicating a medium severity level, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is limited but non-negligible due to the potential for unauthorized data access and possible further exploitation.

The path traversal vulnerability in DataLinkDC dinky can lead to unauthorized disclosure of sensitive files, including configuration files, credentials, or source code, which can facilitate further attacks such as privilege escalation or data exfiltration. Organizations running affected versions may face data breaches, intellectual property theft, or disruption of services if attackers leverage this flaw to compromise system integrity or availability. Since the vulnerability can be exploited remotely without authentication, the attack surface is broad, increasing risk especially for internet-facing deployments. The lack of vendor response and patches exacerbates the threat, as organizations must rely on workarounds or mitigations. While no active exploitation is currently reported, the public availability of exploit details raises the likelihood of future attacks. This vulnerability poses a moderate risk to confidentiality and integrity, with some potential impact on availability if attackers modify or delete critical files.

Organizations should immediately audit their use of DataLinkDC dinky and identify any deployments running versions 1.2.0 through 1.2.5. In the absence of an official patch, implement strict input validation and sanitization on the projectName parameter at the application or web server level to block path traversal characters such as '../'. Employ web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the vulnerable endpoint. Restrict filesystem permissions of the dinky application user to the minimum necessary, preventing access to sensitive directories outside the intended project directory. Monitor logs for suspicious access patterns indicative of path traversal exploitation attempts. If feasible, isolate the dinky service in a segmented network zone to limit exposure. Engage with the vendor for updates and consider alternative tools if no remediation is forthcoming. Prepare incident response plans to quickly address potential exploitation.