{"id":"CVE-2022-31502","details":"The operatorequals/wormnest repository through 0.4.7 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.","modified":"2026-07-08T06:01:50.011881300Z","published":"2022-07-11T00:53:39Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31502.json","cna_assigner":"mitre"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31502.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31502"},{"type":"REPORT","url":"https://github.com/github/securitylab/issues/669#issuecomment-1117265726"},{"type":"FIX","url":"https://github.com/operatorequals/wormnest/commit/2dfe96fc2570586ac487b399ac20d41b3c114861"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/operatorequals/wormnest","events":[{"introduced":"0"},{"fixed":"2dfe96fc2570586ac487b399ac20d41b3c114861"}],"database_specific":{"cpe":"cpe:2.3:a:wormnest_project:wormnest:*:*:*:*:*:*:*:*","source":["CPE_RANGE","REFERENCES"],"extracted_events":[{"introduced":"0"},{"last_affected":"0.4.7"}]}}],"versions":["0.4.7","0.4.6","0.4.5","0.4.4","0.4.3","0.4.1","0.4.0","0.3.5","0.3.4","0.3.3","0.3.0","0.2.4","0.1.0","0.0.2","0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31502.json"}}],"schema_version":"1.7.5"}