DevToys is a desktop app for developers. In versions from 2.0.0.0 to before 2.0.9.0, a path traversal vulnerability exists in the DevToys extension installation…
Published:
9 January 2026 at 23:00:00
Alert date:
10 January 2026 at 13:10:58
Source:
nvd.nist.gov
A path traversal vulnerability (CVE-2026-22685) exists in DevToys desktop app versions 2.0.0.0 to before 2.0.9.0. The vulnerability occurs in the extension installation mechanism when processing NUPKG archives. DevToys fails to properly validate file paths within extension packages, allowing malicious packages to include crafted file entries like ../../target-file. This enables attackers to write files outside the intended extensions directory and overwrite arbitrary files with DevToys process privileges. The flaw can lead to code execution, configuration tampering, or corruption of system files. The issue has been patched in version 2.0.9.0.
Technical details
Mitigation steps:
Affected products:
DevToys
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-22685
https://github.com/DevToys-app/DevToys/commit/02fb7d46d9c663a4ee6ed968baa6a8810405047f
https://github.com/DevToys-app/DevToys/pull/1643
https://github.com/DevToys-app/DevToys/security/advisories/GHSA-ggxr-h6fm-p2qh
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.