CVE-2026-12568
MEDIUM
NVD
CVSS Score
6.5
Severity
MEDIUM
Published
Jun 17, 2026
Vendor
unknown
Description
The postman_download module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker to write arbitrary files to the user's system.