CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-57079

mediumCVSS 5.3covered by 1 sourcefirst seen 2026-06-30
Net::BitTorrent versions through 2.0.1 for Perl write files outside the download directory via path traversal in peer-supplied metadata. Net::BitTorrent validates file path components only on the .torrent-file ingest path. The peer and magnet metadata path (_on_metadata_received, reached from the BEP09 ut_metadata extension) passes attacker-supplied file names straight to Storage::add_file and Storage::_parse_file_tree, where Path::Tiny's child() does not collapse "..". A v2 file tree key, a v1 files[].path element, or a single-file name containing ".." segments therefore resolves outside the download directory. Because the peer also controls the piece hashes and the served bytes, content verification passes, so a malicious magnet or peer writes attacker-chosen content to an attacker-chosen path on the downloading host.

⚡ Watch CVE-2026-57079

Get an email if CVE-2026-57079 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-57079

CVE.org record

Embed the live status

CVE-2026-57079 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-57079 status](https://www.csirts.com/badge/CVE-2026-57079)](https://www.csirts.com/cve/CVE-2026-57079)