CVE-2026-21878 – BACnet Stack Improperly Limits Pathnames to a Restricted Directory

CVE ID : CVE-2026-21878

Published : Feb. 13, 2026, 7:17 p.m. | 1 hour, 12 minutes ago

Description : BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack’s file writing functionality where there is no validation of user-provided file paths, allowing attackers to write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3.

Severity: 7.5 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…