CVE-2026-21878

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3	Patch
https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j	Vendor Advisory Exploit

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc1::::::
	cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc2::::::

History

No history.

Information

Published : 2026-02-13 19:17

Updated : 2026-02-18 18:49

NVD link : CVE-2026-21878

Mitre link : CVE-2026-21878

CVE.ORG link : CVE-2026-21878

JSON object : View

Products Affected

bacnetstack

bacnet_stack

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-21878", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-13T19:17:28.650", "references": [{"url": "https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j", "tags": ["Vendor Advisory", "Exploit"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3."}, {"lang": "es", "value": "BACnet Stack es una librer\u00eda C de pila de protocolos BACnet de c\u00f3digo abierto para sistemas embebidos. Antes de la versi\u00f3n 1.5.0.rc3, se ha descubierto una vulnerabilidad en la funcionalidad de escritura de archivos de BACnet Stack donde no hay validaci\u00f3n de las rutas de archivo proporcionadas por el usuario, lo que permite a los atacantes escribir archivos en directorios arbitrarios. Esto afecta a apps/readfile/main.c y ports/posix/bacfile-posix.c. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.5.0.rc3."}], "lastModified": "2026-02-18T18:49:16.530", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B47182E-6B7F-4C53-904A-EB37C9C0A439"}, {"criteria": "cpe:2.3:a:bacnetstack:bacnet_stack:1.5.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF491863-1A31-4A23-A6AC-DF7545FCAA48"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}