CVE-2026-50877: An issue in Zhoros SuperBin v1
An issue in Zhoros SuperBin v1.0.0 allows attackers to execute a directory traversal via supplying files with names containing traversal characters.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A path traversal vulnerability in Zhoros SuperBin v1.0.0 allows a remote, unauthenticated attacker to request files outside the intended directory by embedding traversal characters (such as "../") in filenames sent over the network. No login or special privileges are needed to trigger the flaw. Successful exploitation gives the attacker read access to arbitrary files on the host, potentially exposing sensitive configuration, credentials, or application data. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-50877 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that package Zhoros SuperBin.
AvailableHarborGuard is capable of scoring this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weighting it against each environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the Zhoros SuperBin advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix appears. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention once the upstream patch is released.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the SuperBin service over the network; the service exposes this flaw to any host that can send it a request (AV:N).
- AuthenticationNot required
No account or session token is needed; the traversal payload can be sent by any unauthenticated caller (PR:N).
- Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from a user or administrator on the target system (UI:N).
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors are required (AC:L).
Blast Radius
- An attacker reads arbitrary files from the host filesystem, bounded only by the permissions of the process running SuperBin.
- Sensitive files such as environment variable files, private keys, and application configuration are exposed if they are readable by that process.
- No integrity or availability impact is indicated; the vulnerability is limited to unauthorized file disclosure (C:H, I:N, A:N).
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-50877 is active for any image found to contain Zhoros SuperBin v1.0.0, with results surfaced in the vulnerability dashboard and routed per each organization's compliance policy. Because no upstream patch exists at this time, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically when a fix version is published. In the interim, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation to restrict which clients can reach the SuperBin service, egress filtering to limit what the process can read or return, and flagging the image for manual review until a fix is available. For customers with auto-remediation enabled, the full rebuild, regression test, and PR flow will execute without manual intervention as soon as the upstream fix ships.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N