CVE-2026-8770

Summary

A vulnerability was identified in continuedev continue up to 1.2.22. This affects the function lsTool of the file core/tools/implementations/lsTool.ts of the component JSON-RPC Server. Such manipulation of the argument dirPath leads to path traversal. An attack has to be approached locally. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
continuedevcontinue1.2.0affected
continuedevcontinue1.2.1affected
continuedevcontinue1.2.2affected
continuedevcontinue1.2.3affected
continuedevcontinue1.2.4affected
continuedevcontinue1.2.5affected
continuedevcontinue1.2.6affected
continuedevcontinue1.2.7affected
continuedevcontinue1.2.8affected
continuedevcontinue1.2.9affected
continuedevcontinue1.2.10affected
continuedevcontinue1.2.11affected
continuedevcontinue1.2.12affected
continuedevcontinue1.2.13affected
continuedevcontinue1.2.14affected
continuedevcontinue1.2.15affected
continuedevcontinue1.2.16affected
continuedevcontinue1.2.17affected
continuedevcontinue1.2.18affected
continuedevcontinue1.2.19affected
continuedevcontinue1.2.20affected
continuedevcontinue1.2.21affected
continuedevcontinue1.2.22affected

Weaknesses

  • CWE-22: Path Traversal

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References