CVE-2026-29871: A path traversal vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251

Description

A path traversal vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19) in the Beifong AI News and Podcast Agent backend in FastAPI backend, stream-audio endpoint, in file routers/podcast_router.py, in function stream_audio. The stream-audio endpoint accepts a user-controlled path parameter that is concatenated into a filesystem path without proper validation or restriction. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary files from the server filesystem, potentially disclosing sensitive information such as configuration files and credentials.

Affected Products

Vendor	Product	Versions
n/a	n/a	n/a

References

https://github.com/lilmingwa13/security-research/blob/main/CVE-2026-29871.md

Related News (1 articles)

Tier C

VulDB7h ago

CVE-2026-29871 | awesome-llm-apps e46690f99c3f08be80a9877fab52acacf7ab8251 FastAPI Backend podcast_router.py stream_audio path path traversal

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Published3/27/2026

Last enriched7h agov2

Trending Score63

Source articles1

Independent1

Info Completeness6/14

Missing: cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Version History

Last enriched 7h ago

v2Tier C7h ago

Updated vendor to awesome-llm-apps, product to FastAPI Backend, severity to CRITICAL, and noted that the vulnerability is actively exploited.

descriptionseverityactivelyExploited

via VulDB

v18h ago

Initial creation