Path Traversal in Theonedev Onedev

CVE-2026-44647

OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw b…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (21.4th percentile) — read the EPSS interpretation.