Slopsmith has path traversal in archive extractors that allows arbitrary...

7.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U

Description

Slopsmith is a self-contained web application for browsing, playing, and practicing Rocksmith 2014 Custom DLC (CDLC). Prior to 0.2.9-alpha.5, a path-traversal vulnerability in Slopsmith's archive extractors allows an attacker to write arbitrary files outside the extraction directory by supplying a crafted PSARC or sloppak archive. With the default Docker configuration (running as root) and the ability to drop a file into the plugin directory, this escalates to arbitrary remote code execution on the host. Three archive extractors concatenated archive-entry filenames directly onto the extraction root without validation: `lib/psarc.py::unpack_psarc` — PSARC TOC filenames; `lib/patcher.py::unpack_psarc` — duplicate of the above in the patcher flow; `lib/sloppak.py::_unpack_zip` — bare `ZipFile.extractall()` with no member filter. Each accepts entry names containing `..` segments, absolute paths, or backslash separators. The Python `zipfile` module's default `extractall()` is documented as not preventing traversal when callers don't supply a member-filter callback. Version 0.2.9-alpha.5 patches the issue. Until updated, do not open PSARC or sloppak archives from untrusted sources, and do not expose the Slopsmith instance to the public internet. Docker users should also pull the latest image after the next slopsmith Docker image is published.

Basic Information

ID CVE-2026-49290

Source GitHub_M

Published Jun 19, 2026 at 17:31

Affected Product

Vendor byrongamatos

Product slopsmith

Version < 0.2.9-alpha.5

Affected Versions byrongamatos slopsmith < 0.2.9-alpha.5

CWE Classification

CWE-22 CWE-23 CWE-36

References

{
    "lastseen": "",
    "description": "Slopsmith is a self-contained web application for browsing, playing, and practicing Rocksmith 2014 Custom DLC (CDLC). Prior to 0.2.9-alpha.5, a path-traversal vulnerability in Slopsmith's archive extractors allows an attacker to write arbitrary files outside the extraction directory by supplying a crafted PSARC or sloppak archive. With the default Docker configuration (running as root) and the ability to drop a file into the plugin directory, this escalates to arbitrary remote code execution on the host. Three archive extractors concatenated archive-entry filenames directly onto the extraction root without validation: `lib/psarc.py::unpack_psarc` \u2014 PSARC TOC filenames; `lib/patcher.py::unpack_psarc` \u2014 duplicate of the above in the patcher flow; `lib/sloppak.py::_unpack_zip` \u2014 bare `ZipFile.extractall()` with no member filter. Each accepts entry names containing `..` segments, absolute paths, or backslash separators. The Python `zipfile` module's default `extractall()` is documented as not preventing traversal when callers don't supply a member-filter callback. Version 0.2.9-alpha.5 patches the issue. Until updated, do not open PSARC or sloppak archives from untrusted sources, and do not expose the Slopsmith instance to the public internet. Docker users should also pull the latest image after the next slopsmith Docker image is published.",
    "published": "2026-06-19T17:31:05.659Z",
    "modified": "2026-06-19T17:31:05.659Z",
    "type": "cve",
    "title": "Slopsmith has path traversal in archive extractors that allows arbitrary file write \u2192 potential RCE",
    "source": "GitHub_M",
    "references": "https://web.archive.org/web/20260522065709/https://github.com/byrongamatos/slopsmith\nhttps://github.com/byrongamatos/slopsmith/security/advisories/GHSA-8wr9-348x-xwmr\nhttps://github.com/byrongamatos/slopsmith/commit/9cccac12a\nhttps://web.archive.org/web/20260522065709/https://github.com/byrongamatos/slopsmith",
    "id": "CVE-2026-49290",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-23",
        "CWE-36"
    ],
    "cvelist": null,
    "sourceData": "byrongamatos slopsmith < 0.2.9-alpha.5",
    "sourceHref": "",
    "cvss": {
        "score": 7.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "slopsmith",
    "version": "< 0.2.9-alpha.5",
    "vendor": "byrongamatos",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Slopsmith has path traversal in archive extractors that allows arbitrary file write → potential RCE_CVE-2026-49290