CVE-2026-41904: Overly Strict Realpath Validation Dos
An overly strict path traversal check rejects operations when `realpath()` returns `false`. Because `realpath()` returns `false` for non-existent directories, this improperly blocks operations (like archive extraction) where the target directories are meant to be dynamically created, leading to a Denial of Service.
greprules fetch cve-2026-41904-overly-strict-realpath-validation-dos --engine opengrepDescription
An overly strict path traversal check rejects operations when `realpath()` returns `false`. Because `realpath()` returns `false` for non-existent directories, this improperly blocks operations (like archive extraction) where the target directories are meant to be dynamically created, leading to a Denial of Service.
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.