MEDIUM 6.5

GHSA-m54h-vhf9-3w3m

BBOT: Arbitrary File Write in postman_download Module

Details

The `postman_download` module uses the workspace `name` field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker to write arbitrary files to the user's system.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / bbot

Introduced in: 2.1.0 Fixed in: 2.8.6

Fix pip install --upgrade 'bbot>=2.8.6'

References

https://github.com/blacklanternsecurity/bbot/security/advisories/GHSA-m54h-vhf9-3w3m [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-12568 [ADVISORY]
https://github.com/blacklanternsecurity/bbot/commit/36bc20818 [WEB]
https://github.com/blacklanternsecurity/bbot [PACKAGE]