BBOT: Arbitrary File Write in postman_download Module

When

2026-06-18 15:03 UTC

Where

Global (internet)

Category

cyber_advisory · pip

The `postman_download` module uses the workspace `name` field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker to write arbitrary files to the user's system.

Sources

• GitHub Advisory Database ↗ · first seen 2026-06-18 15:03 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map