What is GHSA-33mj-99mg-8g73?

GHSA-33mj-99mg-8g73 is a security advisory published by GitHub Security Advisories with High severity. Routinator has cache path traversal when processing the module component of rsync URIs

Which CVE IDs does GHSA-33mj-99mg-8g73 cover?

GHSA-33mj-99mg-8g73 covers the following CVE IDs: CVE-2026-49233. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-33mj-99mg-8g73?

GHSA-33mj-99mg-8g73 affects 1 product, including: rust/routinator:\u003c= 0.15.1.

GHSA-33mj-99mg-8g73High

Routinator has cache path traversal when processing the module component of rsync URIs

Vendor

GitHub Security Advisories

Published

June 8, 2026

Last Modified

June 12, 2026

🔗 CVE IDs covered (1)

CVE-2026-49233 →

📋 Description

Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.

🎯 Affected products1

rust/routinator:<= 0.15.1

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-49233
https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49233.txt
https://github.com/NLnetLabs/routinator/releases/tag/v0.15.2
https://github.com/advisories/GHSA-33mj-99mg-8g73