Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-32733

Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC user could send a filename with path traversal sequences like `../../.ssh/authorized_keys` and the file would be written outside the user's configured `save_directory`. With auto-accept enabled this required zero interaction from the victim. Starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, all identified code paths sanitize filenames through a shared `sanitize_filename` function.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 5.7%
CVSS Severity
CVSS v3 Score 6.5
Products affected by CVE-2026-32733
  • Halloy » Halloy » Version: 2023.2
    cpe:2.3:a:halloy:halloy:2023.2
  • Halloy » Halloy » Version: 2023.3
    cpe:2.3:a:halloy:halloy:2023.3
  • Halloy » Halloy » Version: 2023.4
    cpe:2.3:a:halloy:halloy:2023.4
  • Halloy » Halloy » Version: 2023.5
    cpe:2.3:a:halloy:halloy:2023.5
  • Halloy » Halloy » Version: 2024.1
    cpe:2.3:a:halloy:halloy:2024.1
  • Halloy » Halloy » Version: 2024.10
    cpe:2.3:a:halloy:halloy:2024.10
  • Halloy » Halloy » Version: 2024.11
    cpe:2.3:a:halloy:halloy:2024.11
  • Halloy » Halloy » Version: 2024.12
    cpe:2.3:a:halloy:halloy:2024.12
  • Halloy » Halloy » Version: 2024.13
    cpe:2.3:a:halloy:halloy:2024.13
  • Halloy » Halloy » Version: 2024.14
    cpe:2.3:a:halloy:halloy:2024.14
  • Halloy » Halloy » Version: 2024.2
    cpe:2.3:a:halloy:halloy:2024.2
  • Halloy » Halloy » Version: 2024.3
    cpe:2.3:a:halloy:halloy:2024.3
  • Halloy » Halloy » Version: 2024.4
    cpe:2.3:a:halloy:halloy:2024.4
  • Halloy » Halloy » Version: 2024.5
    cpe:2.3:a:halloy:halloy:2024.5
  • Halloy » Halloy » Version: 2024.6
    cpe:2.3:a:halloy:halloy:2024.6
  • Halloy » Halloy » Version: 2024.7
    cpe:2.3:a:halloy:halloy:2024.7
  • Halloy » Halloy » Version: 2024.8
    cpe:2.3:a:halloy:halloy:2024.8
  • Halloy » Halloy » Version: 2024.9
    cpe:2.3:a:halloy:halloy:2024.9
  • Halloy » Halloy » Version: 2025.1
    cpe:2.3:a:halloy:halloy:2025.1
  • Halloy » Halloy » Version: 2025.10
    cpe:2.3:a:halloy:halloy:2025.10
  • Halloy » Halloy » Version: 2025.11
    cpe:2.3:a:halloy:halloy:2025.11
  • Halloy » Halloy » Version: 2025.12
    cpe:2.3:a:halloy:halloy:2025.12
  • Halloy » Halloy » Version: 2025.2
    cpe:2.3:a:halloy:halloy:2025.2
  • Halloy » Halloy » Version: 2025.3
    cpe:2.3:a:halloy:halloy:2025.3
  • Halloy » Halloy » Version: 2025.4
    cpe:2.3:a:halloy:halloy:2025.4
  • Halloy » Halloy » Version: 2025.5
    cpe:2.3:a:halloy:halloy:2025.5
  • Halloy » Halloy » Version: 2025.6
    cpe:2.3:a:halloy:halloy:2025.6
  • Halloy » Halloy » Version: 2025.7
    cpe:2.3:a:halloy:halloy:2025.7
  • Halloy » Halloy » Version: 2025.8
    cpe:2.3:a:halloy:halloy:2025.8
  • Halloy » Halloy » Version: 2025.9
    cpe:2.3:a:halloy:halloy:2025.9
  • Halloy » Halloy » Version: 2026.1
    cpe:2.3:a:halloy:halloy:2026.1
  • Halloy » Halloy » Version: 2026.1.1
    cpe:2.3:a:halloy:halloy:2026.1.1
  • Halloy » Halloy » Version: 2026.2
    cpe:2.3:a:halloy:halloy:2026.2
  • Halloy » Halloy » Version: 2026.3
    cpe:2.3:a:halloy:halloy:2026.3
  • Halloy » Halloy » Version: 2026.4
    cpe:2.3:a:halloy:halloy:2026.4


Products
Pricing
Contact Us

Shodan ® - All rights reserved