HIGH
HKUDS
CVE published 2026-05-28
CVE-2026-32847
A path traversal vulnerability in DeepCode's SPA catch-all route allows unauthenticated attackers to read arbitrary files by supplying percent-encoded path segments to bypass Starlette's path normalization. The vulnerability exists in new_ui/backend/main.py through commit c991dc2. Attackers can encode slashes as %2F and dots as %2E%2E to traverse outside the FRONTEND_DIST directory, exposing sensitive fil [truncated]