PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15527 better-auth CVE debrief

A path traversal vulnerability has been identified in better-auth better-icons up to 1.0.5. The vulnerability affects the scan_project_icons/sync_icon component. Manipulation of the icons_file argument can lead to path traversal. Local access is required for an attack. The exploit has been publicly disclosed but vendor response is pending. Users should verify affected versions and monitor for suspicious local activity. The vulnerability has a low CVSS score, indicating a low priority for immediate action, but users should still take necessary precautions to protect their systems.

Vendor
better-auth
Product
better-icons
CVSS
LOW 1.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of better-auth better-icons up to version 1.0.5 should be aware of this vulnerability and take necessary precautions to protect their systems. This includes administrators, security teams, and operators who manage or use the affected product. They should review the vulnerability details, assess their exposure, and plan for mitigations or updates as needed.

Technical summary

The vulnerability is caused by improper handling of the icons_file argument in the scan_project_icons/sync_icon component of better-auth better-icons up to 1.0.5. This allows for path traversal attacks, which can be exploited locally. The vulnerability has a low CVSS score of 1.9, indicating a low severity impact. However, users should still take necessary precautions to protect their systems, including inventory and verification of affected versions, applying patches or updates when available, and implementing compensating controls to restrict access to vulnerable components.

Defensive priority

Low priority due to local attack requirement and low CVSS score. However, users should still take necessary precautions to protect their systems, including inventory and verification of affected versions, applying patches or updates when available, and implementing compensating controls to restrict access to vulnerable components.

Recommended defensive actions

  • Inventory and verify affected versions of better-auth better-icons
  • Apply patches or updates when available
  • Monitor for suspicious local activity
  • Implement compensating controls to restrict access to vulnerable components
  • Review and update incident response plans to address potential local attacks
  • Conduct regular security audits to identify and address vulnerabilities in a timely manner
  • Verify and document the effectiveness of implemented mitigations and controls

Evidence notes

The CVE record was published on 2026-07-13T04:16:28.163Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Limited details are available about the vulnerability and its impact. The vulnerability affects the scan_project_icons/sync_icon component of better-auth better-icons up to 1.0.5. Local access is required for an attack. The exploit has been publicly disclosed but vendor response is pending. Users should verify affected versions and monitor for suspicious local activity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T04:16:28.163Z and has not been modified since then. The NVD entry is currently in the 'Received' status.