CVE-2026-7179 | OSPG binwalk up to 2.4.3 WinCE Extraction Plugin winceextract.py read_null_terminated_string self.file_name path traversal

A vulnerability categorized as critical has been discovered in OSPG binwalk up to 2.4.3. This vulnerability affects the function read_null_terminated_string of the file src/binwalk/plugins/winceextract.py of the component WinCE Extraction Plugin. Such manipulation of the argument self.file_name leads to path traversal. This vulnerability only affects products that are no longer supported by the maintainer.

This vulnerability is referenced as CVE-2026-7179. The attack can only be performed from a local environment. Furthermore, an exploit is available.

The project maintainer confirms this issue: “I accept the existence of the Path Traversal vulnerability. However, as stated in the Github link, it reached EOL and as a result no actions should be expected.” The GitHub repository mentions, that “[u]sers and contributors should migrate to binwalk v3.”

CVE-2026-7179 | OSPG binwalk up to 2.4.3 WinCE Extraction Plugin winceextract.py read_null_terminated_string self.file_name path traversal

Post correlati

CVE-2024-38507 | JetBrains Hub up to 2023.1.15725 Project Description cross site scripting

CVE-2025-23596 | Notifikácie.sk Plugin up to 1.0 on WordPress cross site scripting

CVE-2024-36504 | Fortinet FortiOS up to 6.4.15/7.0.16/7.2.8/7.4.4 SSLVPN Web Portal out-of-bounds (FG-IR-23-473)

CVE-2024-2402 | Better Comments Plugin up to 1.5.5 on WordPress Setting cross site scripting