CVE-2026-30351: Path Traversal Hits leonvanzyl autocoder
The National Vulnerability Database has issued an advisory for CVE-2026-30351, a high-severity path traversal vulnerability (CVSS 7.5) found in the UI/static component of leonvanzyl autocoder commit 79d02a. This flaw allows unauthenticated attackers to read arbitrary files from the host system by crafting malicious URL paths containing traversal sequences.
This isn’t a complex exploit. A simple path traversal in a web-exposed component is low-hanging fruit for any attacker. The autocoder project, while open-source, clearly wasn’t built with robust input validation, especially for static file serving. Attackers will leverage this to exfiltrate configuration files, source code, or even sensitive user data if the application is processing it.
Defenders using or integrating leonvanzyl autocoder should immediately review their deployments. A path traversal like this means a compromised web server, and that’s a direct route to full system compromise. The attacker’s calculus here is straightforward: find exposed instances, grab credentials or sensitive data, and pivot. This is an easy win for them.
What This Means For You
- If your organization utilizes `leonvanzyl autocoder` commit `79d02a` or similar versions, you need to assess your exposure immediately. This vulnerability allows for arbitrary file reading, which can lead to data exfiltration or further system compromise. Prioritize patching or implementing robust input validation and access controls on any publicly accessible instances.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-30351: Path Traversal in autocoder UI
title: CVE-2026-30351: Path Traversal in autocoder UI
id: scw-2026-04-27-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-30351 by looking for path traversal sequences ('../') within the URI, specifically targeting the '/static/' path commonly used by the leonvanzyl autocoder UI. This indicates an attempt to read arbitrary files outside the intended web root.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-30351/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/../'
cs-uri|contains:
- '/static/'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-30351 | Path Traversal | leonvanzyl autocoder commit 79d02a |
| CVE-2026-30351 | Path Traversal | Vulnerable component: UI/static |
| CVE-2026-30351 | Path Traversal | Attack vector: crafted URL path containing traversal sequences |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 27, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7142 — A vulnerability was determined in Wooey up to 0.13.2. The
CVE-2026-7142 — A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component...
CVE-2026-7141 — Vllm Vulnerability
CVE-2026-7141 — A vulnerability was found in vllm up to 0.19.0. The affected element is the function has_mamba_layers of the file vllm/v1/kv_cache_interface.py of the component...
CVE-2026-7140: Critical OS Command Injection in Totolink A8000RU Routers
CVE-2026-7140 — A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi of the component CGI Handler....