REPRO-2026-00084 UNKNOWN Path Traversal Verified

Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write

unstructured (pypi) Feb 13, 2026

Open in Codespaces Download Script Download Variant Script

Confidence HIGH

Reproduced in 4m 50s

Tool calls 193

Affected <=0.18.17

Fixed in 0.18.18

What's the vulnerability?

A Path Traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments.

Root Cause Analysis

Variant Analysis

Bypass and alternate trigger exploration (if present).

One Command

Verify with pruva-verify

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00084

or pruva-verify GHSA-GM8Q-M8MV-JJ5M

or pruva-verify CVE-2025-64712

Install: curl -fsSL https://pruva.dev/install.sh | sh

Or Run Manually

Download the script

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00084/artifacts/repro/reproduction_steps.sh

Make executable

chmod +x reproduction_steps.sh

Run the script

./reproduction_steps.sh

Run in a VM, container, or disposable environment. This exploits a real vulnerability.

How Pruva Reproduced This

Watch the AI agent's step-by-step process.

Loading session...

Artifacts

repro/rca_report.md2.9 KB

repro/reproduction_steps.sh1.9 KB

vuln_variant/rca_report.md3.6 KB

vuln_variant/reproduction_steps.sh2.2 KB

bundle/ticket.md1.4 KB

coding/verify_steps.sh1.4 KB

coding/summary_report.md1.9 KB