Path Traversal in Squidowl Halloy

CVE-2026-32733

Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC user could send a filename with path tr…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (7.0th percentile) — read the EPSS interpretation.

Affected products

Squidowl Halloy — versions <= 2026.4

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/squidowl/halloy/security/advisories/GHSA-fqrv-rfg4-rv89 (x_refsource_CONFIRM)
https://github.com/squidowl/halloy/commit/0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6 (x_refsource_MISC)