{"id":"PYSEC-2026-685","summary":"Path Traversal in nemo-toolkit","details":"NVIDIA NeMo before 1.6.0 contains a vulnerability in ASR WebApp, in which ../ Path Traversal may lead to deletion of any directory when admin privileges are available.","aliases":["CVE-2022-22821","GHSA-9hg3-hmmf-c3gr","GHSA-rpx7-33j2-xx9x"],"modified":"2026-07-08T06:49:39.314731245Z","published":"2026-07-02T14:13:14.599712Z","references":[{"type":"WEB","url":"https://github.com/NVIDIA/NeMo/security/advisories/GHSA-rpx7-33j2-xx9x"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22821"},{"type":"PACKAGE","url":"https://github.com/NVIDIA/NeMo"},{"type":"PACKAGE","url":"https://pypi.org/project/nemo-toolkit"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-9hg3-hmmf-c3gr"}],"affected":[{"package":{"name":"nemo-toolkit","ecosystem":"PyPI","purl":"pkg:pypi/nemo-toolkit"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.0"}]}],"versions":["0.10.0","0.10.0b0","0.10.0b1","0.10.0b10","0.10.0b2","0.10.0b3","0.10.0b4","0.10.0b5","0.10.0b6","0.10.0b7","0.10.0b8","0.10.0b9","0.10.1","0.11.0","0.11.0b1","0.11.0b10","0.11.0b11","0.11.0b12","0.11.0b14","0.11.0b2","0.11.0b3","0.11.0b4","0.11.0b5","0.11.0b6","0.11.0b8","0.8","0.8.1","0.8.2","0.9.0","1.0.0","1.0.0a4","1.0.0b0","1.0.0b1","1.0.0b2","1.0.0b3","1.0.0rc1","1.0.1","1.0.2","1.1.0","1.2.0","1.3.0","1.4.0","1.5.0","1.5.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/nemo-toolkit/PYSEC-2026-685.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"}]}