{"id":"CVE-2026-33166","summary":"Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers)","details":"Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report. Version 2.38.0 fixes the issue.","aliases":["GHSA-64hm-gfwq-jppw"],"modified":"2026-04-02T13:27:00.747961Z","published":"2026-03-20T21:38:23.475Z","database_specific":{"cwe_ids":["CWE-22"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33166.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33166.json"},{"type":"ADVISORY","url":"https://github.com/allure-framework/allure2/security/advisories/GHSA-64hm-gfwq-jppw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33166"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/allure-framework/allure2","events":[{"introduced":"0"},{"fixed":"10a4a52393360f574ba9045b70cbd5f505f9a56f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.38.0"}]}}],"versions":["2.0-BETA1","2.0-BETA3","2.0-BETA4","2.0-BETA5","2.0-BETA6","2.0-BETA7","2.0-BETA8","2.0-M1","2.0.0","2.0.1","2.1.0","2.1.1","2.10.0","2.11.0","2.12.0","2.12.1","2.13.0","2.13.1","2.13.10","2.13.2","2.13.3","2.13.4","2.13.5","2.13.6","2.13.7","2.13.8","2.13.9","2.14.0","2.15.0","2.16.0","2.16.1","2.17.0","2.17.1","2.17.2","2.17.3","2.18.0","2.18.1","2.19.0","2.2.0","2.2.1","2.20.0","2.20.1","2.21.0","2.22.0","2.22.1","2.22.2","2.22.3","2.22.4","2.23.0","2.23.1","2.24.0","2.24.1","2.25.0","2.26.0","2.27.0","2.28.0","2.29.0","2.3","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5","2.30.0","2.31.0","2.32.0","2.32.1","2.32.2","2.33.0","2.34.0","2.34.1","2.35.0","2.35.1","2.36.0","2.37.0","2.4.0","2.4.1","2.5.0","2.6.0","2.7.0","2.8.0","2.8.1","2.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33166.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}]}