greprules.io
Sign inSubmit rule
Explore/cve-2026-39859-conditional-path-containment-bypass

CVE-2026-39859: Conditional Path Containment Bypass

A directory containment verification is conditionally bypassed based on an inequality condition. This logic error can allow path traversal or local file inclusion (LFI) because outer path boundaries are discarded for specific cases. Ensure containment invariants are enforced unconditionally on all file lookup operations.

Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0typescript
greprules fetch cve-2026-39859-conditional-path-containment-bypass --engine opengrep

Description

A directory containment verification is conditionally bypassed based on an inequality condition. This logic error can allow path traversal or local file inclusion (LFI) because outer path boundaries are discarded for specific cases. Ensure containment invariants are enforced unconditionally on all file lookup operations.

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
115 downloads0 direct115 via packs
· 0 stars · Trust score 61How trust works
Included packs
2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata