CVE-2026-31886

Description

Dagu: Path Traversal via `dagRunId` in Inline DAG Execution in github.com/dagu-org/dagu

How to fix CVE-2026-31886

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• Go/github.com/dagu-org/dagu—no fix listed
• —no fix listed

Is CVE-2026-31886 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, <= 2.2.4
• from 0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-31886
• PATCHgithub.com/dagu-org/dagu
• WEBgithub.com/dagu-org/dagu/commit/12c2e5395bd9331d49ca103593edfd0db39c4f38
• WEBgithub.com/dagu-org/dagu/security/advisories/GHSA-m4q3-457p-hh2x
• WEB