{"api_version":"1","generated_at":"2026-07-04T17:40:41+00:00","cve":"CVE-2026-14611","urls":{"html":"https://cve.report/CVE-2026-14611","api":"https://cve.report/api/cve/CVE-2026-14611.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-14611","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-14611"},"summary":{"title":"DeepMyst Mysti Per-Project Auto-Memory MemoryManager.ts initProjectMemory exposure of resource","description":"A vulnerability has been found in DeepMyst Mysti up to 0.4.0. The affected element is the function initProjectMemory of the file src/managers/MemoryManager.ts of the component Per-Project Auto-Memory Handler. Such manipulation of the argument workspacePath leads to exposure of resource. The attack may be performed from remote. Upgrading to version 0.4.0 is sufficient to fix this issue. The name of the patch is 6d709229b5199f6769fb3cf763e5122dcc43c079. It is advisable to upgrade the affected component.","state":"PUBLISHED","assigner":"VulDB","published_at":"2026-07-03 21:16:56","updated_at":"2026-07-03 21:16:56"},"problem_types":["CWE-200","CWE-668","CWE-668 Exposure of Resource","CWE-200 Information Disclosure"],"metrics":[{"version":"4.0","source":"cna@vuldb.com","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"DECLARED","score":"5.3","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X","data":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X","version":"4.0"}},{"version":"3.1","source":"cna@vuldb.com","type":"Primary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C","data":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C","version":"3.1"}},{"version":"3.0","source":"CNA","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C","data":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C","version":"3.0"}},{"version":"2.0","source":"cna@vuldb.com","type":"Secondary","score":"4","severity":"","vector":"AV:N/AC:L/Au:S/C:P/I:N/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","baseScore":4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"2.0","source":"CNA","type":"DECLARED","score":"4","severity":"","vector":"AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C","data":{"baseScore":4,"vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C","version":"2.0"}}],"references":[{"url":"https://github.com/DeepMyst/Mysti/pull/49","name":"https://github.com/DeepMyst/Mysti/pull/49","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/cve/CVE-2026-14611","name":"https://vuldb.com/cve/CVE-2026-14611","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/vuln/376119/cti","name":"https://vuldb.com/vuln/376119/cti","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/submit/844651","name":"https://vuldb.com/submit/844651","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/vuln/376119","name":"https://vuldb.com/vuln/376119","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/DeepMyst/Mysti/commit/6d709229b5199f6769fb3cf763e5122dcc43c079","name":"https://github.com/DeepMyst/Mysti/commit/6d709229b5199f6769fb3cf763e5122dcc43c079","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/DeepMyst/Mysti/","name":"https://github.com/DeepMyst/Mysti/","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/DeepMyst/Mysti/issues/46","name":"https://github.com/DeepMyst/Mysti/issues/46","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-14611","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-14611","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"DeepMyst","product":"Mysti","version":"affected 0.1","platforms":[]},{"source":"CNA","vendor":"DeepMyst","product":"Mysti","version":"affected 0.2","platforms":[]},{"source":"CNA","vendor":"DeepMyst","product":"Mysti","version":"affected 0.3","platforms":[]},{"source":"CNA","vendor":"DeepMyst","product":"Mysti","version":"affected 0.4.0","platforms":[]},{"source":"CNA","vendor":"DeepMyst","product":"Mysti","version":"unaffected 0.4.0","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-07-03T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"source":"CNA","time":"2026-07-03T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"source":"CNA","time":"2026-07-03T16:14:24.000Z","lang":"en","value":"VulDB entry last update"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Dem00000 (VulDB User)","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"cpes":["cpe:2.3:a:deepmyst:mysti:*:*:*:*:*:*:*:*"],"modules":["Per-Project Auto-Memory Handler"],"product":"Mysti","vendor":"DeepMyst","versions":[{"status":"affected","version":"0.1"},{"status":"affected","version":"0.2"},{"status":"affected","version":"0.3"},{"status":"affected","version":"0.4.0"},{"status":"unaffected","version":"0.4.0"}]}],"credits":[{"lang":"en","type":"reporter","value":"Dem00000 (VulDB User)"}],"descriptions":[{"lang":"en","value":"A vulnerability has been found in DeepMyst Mysti up to 0.4.0. The affected element is the function initProjectMemory of the file src/managers/MemoryManager.ts of the component Per-Project Auto-Memory Handler. Such manipulation of the argument workspacePath leads to exposure of resource. The attack may be performed from remote. Upgrading to version 0.4.0 is sufficient to fix this issue. The name of the patch is 6d709229b5199f6769fb3cf763e5122dcc43c079. It is advisable to upgrade the affected component."}],"metrics":[{"cvssV4_0":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X","version":"4.0"}},{"cvssV3_1":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C","version":"3.1"}},{"cvssV3_0":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C","version":"3.0"}},{"cvssV2_0":{"baseScore":4,"vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C","version":"2.0"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-668","description":"Exposure of Resource","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-200","description":"Information Disclosure","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-03T21:00:10.362Z","orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB"},"references":[{"name":"VDB-376119 | DeepMyst Mysti Per-Project Auto-Memory MemoryManager.ts initProjectMemory exposure of resource","tags":["vdb-entry","technical-description"],"url":"https://vuldb.com/vuln/376119"},{"name":"VDB-376119 | CTI Indicators (IOB, IOC, IOA)","tags":["signature","permissions-required"],"url":"https://vuldb.com/vuln/376119/cti"},{"name":"CVE-2026-14611 | CVE Analysis and Report","tags":["third-party-advisory"],"url":"https://vuldb.com/cve/CVE-2026-14611"},{"name":"Submit #844651 | DeepMyst Mysti 0.4.0 Information Exposure / Improper Isolation","tags":["third-party-advisory"],"url":"https://vuldb.com/submit/844651"},{"tags":["issue-tracking"],"url":"https://github.com/DeepMyst/Mysti/issues/46"},{"tags":["issue-tracking","patch"],"url":"https://github.com/DeepMyst/Mysti/pull/49"},{"tags":["patch"],"url":"https://github.com/DeepMyst/Mysti/commit/6d709229b5199f6769fb3cf763e5122dcc43c079"},{"tags":["product"],"url":"https://github.com/DeepMyst/Mysti/"}],"tags":["x_open-source"],"timeline":[{"lang":"en","time":"2026-07-03T00:00:00.000Z","value":"Advisory disclosed"},{"lang":"en","time":"2026-07-03T02:00:00.000Z","value":"VulDB entry created"},{"lang":"en","time":"2026-07-03T16:14:24.000Z","value":"VulDB entry last update"}],"title":"DeepMyst Mysti Per-Project Auto-Memory MemoryManager.ts initProjectMemory exposure of resource"}},"cveMetadata":{"assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","assignerShortName":"VulDB","cveId":"CVE-2026-14611","datePublished":"2026-07-03T21:00:10.362Z","dateReserved":"2026-07-03T14:09:19.785Z","dateUpdated":"2026-07-03T21:00:10.362Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-03 21:16:56","lastModifiedDate":"2026-07-03 21:16:56","problem_types":["CWE-200","CWE-668","CWE-668 Exposure of Resource","CWE-200 Information Disclosure"],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","baseScore":4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"14611","Ordinal":"1","Title":"DeepMyst Mysti Per-Project Auto-Memory MemoryManager.ts initProj","CVE":"CVE-2026-14611","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"14611","Ordinal":"1","NoteData":"A vulnerability has been found in DeepMyst Mysti up to 0.4.0. The affected element is the function initProjectMemory of the file src/managers/MemoryManager.ts of the component Per-Project Auto-Memory Handler. Such manipulation of the argument workspacePath leads to exposure of resource. The attack may be performed from remote. Upgrading to version 0.4.0 is sufficient to fix this issue. The name of the patch is 6d709229b5199f6769fb3cf763e5122dcc43c079. It is advisable to upgrade the affected component.","Type":"Description","Title":"DeepMyst Mysti Per-Project Auto-Memory MemoryManager.ts initProj"}]}}}