Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2026-28427

Severity CVSS v4.0:
MEDIUM
Type:
CWE-22 Path Traversal
Publication date:
04/03/2026
Last modified:
04/03/2026

Description

OpenDeck is Linux software for your Elgato Stream Deck. Prior to 2.8.1, the service listening on port 57118 serves static files for installed plugins but does not properly sanitize path components. By including ../ sequences in the request path, an attacker can traverse outside the intended directory and read any file OpenDeck can access. This vulnerability is fixed in 2.8.1.

Impact

Vector 4.0
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L CVSS v4.0 Severity and Metrics:

Base Score: 5.90 MEDIUM
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L

Attack Vector (AV): Network
Attack Complexity (AC): High
Attack Requirements (AT): None
Privileges Required (PR): None
User Interaction (UI): Active
Confidentiality (VC): High
Integrity (VI): None
Availability (VA): None
Confidentiality (SC): Low
Integrity (SI): Low
Availability (SA): Low

Base Score 4.0
5.90
Severity 4.0
MEDIUM

References to Advisories, Solutions, and Tools