PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-40646 vertex-app CVE debrief

A path traversal vulnerability in Vertex, a management tool for Private Tracker (PT) users, allows unauthorized file system access. The vulnerability exists in versions prior to commit fbde301b97986d5913fc4bc95f5445750d282e11. The CVSS 3.1 score of 8.6 (HIGH) reflects network attackability with no required privileges or user interaction, yielding high confidentiality impact and low integrity/availability impact. The weakness is categorized as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

Vendor
vertex-app
Product
vertex
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations and individuals operating Vertex instances for Private Tracker media management, particularly those with internet-exposed deployments.

Technical summary

Vertex versions prior to commit fbde301b97986d5913fc4bc95f5445750d282e11 are vulnerable to path traversal (CWE-22). An unauthenticated remote attacker can exploit this to access files outside the intended directory scope. The vulnerability is rated HIGH (CVSS 8.6) due to high confidentiality impact with no required authentication or user interaction. The fix is available in the referenced commit.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Vertex to a version containing commit fbde301b97986d5913fc4bc95f5445750d282e11 or later.
  • If immediate patching is not feasible, restrict network access to the Vertex application to trusted hosts only.
  • Monitor application logs for anomalous file access patterns or directory traversal indicators.
  • Review file system permissions to ensure the application service account has minimal necessary access.

Evidence notes

The CVE description and NVD record confirm path traversal in Vertex versions before the specified commit. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L) supports the HIGH severity rating. The GitHub advisory and commit provide patch provenance.

Official resources

The vulnerability was disclosed via GitHub Security Advisory GHSA-92j5-qc36-23rr and published in the NVD on 2026-06-01.