Path Traversal in Dagu-org Dagu

CVE-2026-27598

Dagu is a workflow engine with a built-in Web user interface. In versions up to and including 1.16.7, the `CreateNewDAG` API endpoint (`POST /api/v1/dags`) does not validate the DAG name before passing it to the file store. An authenticate…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.002 (35.4th percentile) — read the EPSS interpretation.

Affected products

Dagu-org Dagu — versions <= 1.16.7

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/dagu-org/dagu/security/advisories/GHSA-6v48-fcq6-ff23 (x_refsource_CONFIRM)
https://github.com/dagu-org/dagu/commit/e2ed589105d79273e4e6ac8eb31525f765bb3ce4 (x_refsource_MISC)