EXECUTIVE SUMMARY:
CVE-2026-47253 with a CVSS score of 7.3 is a path-traversal flaw in the go/github.com/julien040/anyquery package that allows arbitrary directory deletion through the SQL scalar function clear_plugin_cache. The function concatenates a user-supplied plugin name to the XDG cache path using path.Join and then calls os.RemoveAll without properly sanitizing path traversal sequences, allowing an attacker to craft a payload such as SELECT clear_plugin_cache that resolves to any filesystem location reachable by the server process. Exploitation requires only network access to the /v1/query HTTP endpoint and a low-privileged bearer token that permits query execution; no additional privileges or code execution are needed. Once triggered, the attacker gains the capability to delete files or entire directories outside the intended cache directory, potentially erasing logs, configuration files, or critical application data. The business impact includes data loss, service downtime, compliance violations, and possible cascading failures if essential system components are removed. Successful exploitation is contingent on the service running with sufficient filesystem permissions and the attacker being able to submit arbitrary SQL queries via the exposed endpoint.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-47253 with a CVSS score of 7.3 is a path-traversal flaw in the go/github.com/julien040/anyquery package that allows arbitrary directory deletion through the SQL scalar function clear_plugin_cache. The function concatenates a user-supplied plugin name to the XDG cache path using path.Join and then calls os.RemoveAll without properly sanitizing path traversal sequences, allowing an attacker to craft a payload such as SELECT clear_plugin_cache that resolves to any filesystem location reachable by the server process. Exploitation requires only network access to the /v1/query HTTP endpoint and a low-privileged bearer token that permits query execution; no additional privileges or code execution are needed. Once triggered, the attacker gains the capability to delete files or entire directories outside the intended cache directory, potentially erasing logs, configuration files, or critical application data. The business impact includes data loss, service downtime, compliance violations, and possible cascading failures if essential system components are removed. Successful exploitation is contingent on the service running with sufficient filesystem permissions and the attacker being able to submit arbitrary SQL queries via the exposed endpoint.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
[/emaillocker]