CVE-2026-3051 – This CVE describes a path traversal vulnerabili... (How to Fix)

Q: What is the severity of CVE-2026-3051?

CVE-2026-3051 has a CVSS score of 6.3 (MEDIUM). This CVE describes a path traversal vulnerability in DataLinkDC Dinky's GitRepository component. Attackers can manipulate the projectName parameter to access arbitrary files on the server. This affects Dinky installations up to version 1.2.5 that have the vulnerable component exposed.

📋 TL;DR

This CVE describes a path traversal vulnerability in DataLinkDC Dinky's GitRepository component. Attackers can manipulate the projectName parameter to access arbitrary files on the server. This affects Dinky installations up to version 1.2.5 that have the vulnerable component exposed.

💻 Affected Systems

Products:

DataLinkDC Dinky

Versions: up to 1.2.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the GitRepository component's getProjectDir function when projectName parameter is manipulated.

📦 What is this software?

Dinky by Dinky

View all CVEs affecting Dinky →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attackers could read sensitive files like configuration files, credentials, or source code, potentially leading to complete system compromise.

🟠

Likely Case

Unauthorized file access leading to information disclosure of sensitive data stored on the server.

🟢

If Mitigated

Limited impact if proper input validation and access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit has been publicly disclosed and requires minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor did not respond to disclosure. Consider upgrading to any version beyond 1.2.5 if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation to reject path traversal sequences in projectName parameter

Implement validation in GitRepository.java to sanitize projectName input

Access Control Restriction

linux

Restrict file system access permissions for the Dinky application user

chmod 750 /path/to/dinky/data
setfacl -m u:dinkyuser:rx /required/paths

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block path traversal patterns
Isolate Dinky instance in network segment with limited access to sensitive file systems

🔍 How to Verify

Check if Vulnerable:

Check if Dinky version is ≤1.2.5 and if GitRepository component is accessible

Check Version:

Check application version in web interface or configuration files

Verify Fix Applied:

Test with path traversal payloads (e.g., '../../etc/passwd') to verify they are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in application logs
Multiple failed path traversal attempts

Network Indicators:

HTTP requests containing '../' sequences in projectName parameter

SIEM Query:

source="dinky_logs" AND ("../" OR "..\" OR "%2e%2e%2f")

📊 Metadata

CVE ID: CVE-2026-3051

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-22

Published: February 24, 2026

Last Updated: February 25, 2026

🔗 References

https://github.com/AnalogyC0de/public_exp/issues/5 Exploit,Issue Tracking,Third Party Advisory
https://github.com/AnalogyC0de/public_exp/issues/5#issue-3935000629 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.347409 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.347409 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.757586 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3051, you might also want to check these: