Vulnerability Description
Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC user could send a filename with path traversal sequences like `../../.ssh/authorized_keys` and the file would be written outside the user's configured `save_directory`. With auto-accept enabled this required zero interaction from the victim. Starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, all identified code paths sanitize filenames through a shared `sanitize_filename` function.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Halloy | Halloy | <= 2026.4 |
Related Weaknesses (CWE)
References
- https://github.com/squidowl/halloy/commit/0f77b2cfc5f822517a256ea5a4b94bad8bfe38Patch
- https://github.com/squidowl/halloy/security/advisories/GHSA-fqrv-rfg4-rv89ExploitVendor Advisory
FAQ
What is CVE-2026-32733?
CVE-2026-32733 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC ...
How severe is CVE-2026-32733?
CVE-2026-32733 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32733?
Check the references section above for vendor advisories and patch information. Affected products include: Halloy Halloy.