CVE-2026-44225: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in enesgkky Pulpy
Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the host filesystem. A validateFsPath() function is supposed to sandbox this access, but its blocklist is incomplete. Any web app packaged with Pulpy can read and write arbitrary files in the user's home directory — including ~/.ssh/id_rsa, ~/.aws/credentials, and ~/Library/Keychains/. This vulnerability is fixed in 0.1.1.
AI Analysis
Technical Summary
Pulpy is a cross-platform desktop application packager that injects a pulpy.fs JavaScript API into packaged web apps, granting them filesystem access. Before version 0.1.1, the validateFsPath() function intended to sandbox this access relied on an incomplete blocklist, enabling path traversal attacks. Consequently, any web app packaged with vulnerable Pulpy versions can read and write arbitrary files in the user's home directory, including critical files such as ~/.ssh/id_rsa, ~/.aws/credentials, and ~/Library/Keychains/. This vulnerability is identified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-284 (Improper Access Control). The issue is resolved in Pulpy 0.1.1. Since Pulpy is a cloud service, the vendor handles remediation server-side.
Potential Impact
The vulnerability allows unauthorized read and write access to arbitrary files in the user's home directory via packaged web applications, potentially exposing sensitive credentials and private keys. This can lead to severe confidentiality and integrity breaches. The CVSS score of 9.3 reflects the critical nature of this flaw with network attack vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality and integrity. Availability impact is not affected. No known exploits are reported in the wild.
Mitigation Recommendations
A fix is available in Pulpy version 0.1.1. Since Pulpy is a cloud-hosted service, the vendor manages remediation server-side. Users and administrators should ensure they are using Pulpy 0.1.1 or later. Check the vendor advisory for confirmation of patch deployment and further guidance. No additional action is required if already on the fixed version.
CVE-2026-44225: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in enesgkky Pulpy
Description
Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the host filesystem. A validateFsPath() function is supposed to sandbox this access, but its blocklist is incomplete. Any web app packaged with Pulpy can read and write arbitrary files in the user's home directory — including ~/.ssh/id_rsa, ~/.aws/credentials, and ~/Library/Keychains/. This vulnerability is fixed in 0.1.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Pulpy is a cross-platform desktop application packager that injects a pulpy.fs JavaScript API into packaged web apps, granting them filesystem access. Before version 0.1.1, the validateFsPath() function intended to sandbox this access relied on an incomplete blocklist, enabling path traversal attacks. Consequently, any web app packaged with vulnerable Pulpy versions can read and write arbitrary files in the user's home directory, including critical files such as ~/.ssh/id_rsa, ~/.aws/credentials, and ~/Library/Keychains/. This vulnerability is identified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-284 (Improper Access Control). The issue is resolved in Pulpy 0.1.1. Since Pulpy is a cloud service, the vendor handles remediation server-side.
Potential Impact
The vulnerability allows unauthorized read and write access to arbitrary files in the user's home directory via packaged web applications, potentially exposing sensitive credentials and private keys. This can lead to severe confidentiality and integrity breaches. The CVSS score of 9.3 reflects the critical nature of this flaw with network attack vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality and integrity. Availability impact is not affected. No known exploits are reported in the wild.
Mitigation Recommendations
A fix is available in Pulpy version 0.1.1. Since Pulpy is a cloud-hosted service, the vendor manages remediation server-side. Users and administrators should ensure they are using Pulpy 0.1.1 or later. Check the vendor advisory for confirmation of patch deployment and further guidance. No additional action is required if already on the fixed version.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T15:42:40.518Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a038bd7cbff5d861016496c
Added to database: 5/12/2026, 8:21:43 PM
Last enriched: 5/12/2026, 8:36:48 PM
Last updated: 5/13/2026, 4:57:55 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.