The Circuitry
THE CIRCUITRYYour one-stop source for all tech news
HOMETODAYNEWSFEEDEVENTS
BOOKMARKS
RSS
© 2026 The Circuitry
About UsSourcesContactCorrectionsPrivacy
  • Today
  • Feed
  • Events
  • Saved
Scroll for more
Verification
VERIFIEDConfidence: HIGH
Source identified
Claims cross-referenced
No discrepancies found
Fact-check summary

NVD published CVE-2026-13103 today on a high-severity path traversal flaw in Lenovo's China-only App Store app.

Sourcing
1source

via NVD

NVD · track record
2Stories
100%Verified
230d
All sources →
Home/Tech/Lenovo App Store Path Traversal Flaw Rated High Severity
VERIFIEDBy Xavier Rivera· ·1 min read

Lenovo App Store Path Traversal Flaw Rated High Severity

Lenovo disclosed CVE-2026-13103, a path traversal vulnerability in its China-only App Store that could let a local authenticated user run arbitrary code. The flaw is rated high severity with CVSS 7.3 and affects versions before 9.0.2930.0514 on Windows.

Source:NVD
Post
Lenovo App Store Path Traversal Flaw Rated High Severity
TL;DRAI · 60 sec read

Lenovo disclosed a high-severity path traversal vulnerability in its App Store application distributed exclusively in China. CVE-2026-13103 has a CVSS score of 7.3. It allows a local authenticated user to execute arbitrary code on Windows versions prior to 9.0.2930.0514 due to improper pathname restriction.

Lenovo has disclosed a high-severity path traversal vulnerability in its App Store application that is distributed exclusively in the Chinese market.

A local authenticated user could execute arbitrary code. The flaw, tracked as CVE-2026-13103, carries a CVSS 3.1 base score of 7.3. Lenovo Group Ltd. assigned a CVSS 4.0 score of 7.0 with vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.
A local authenticated user could execute arbitrary code.

The vulnerability stems from improper limitation of a pathname to a restricted directory. It affects Lenovo App Store versions prior to 9.0.2930.0514 on Windows platforms.

The issue was reported directly by Lenovo Group Ltd. The National Vulnerability Database published the CVE record on July 16, 2026, the same day it was received from the vendor at 1:16:54 PM. NVD has not yet provided its own CVSS assessment and notes the record is not prioritized for enrichment due to resource concerns.
From The CircuitryThe Feed — live briefs across tech, all day.See what’s happening →

A reference to Lenovo's Chinese-language advisory is listed. The link points to https://iknow.lenovo.com.cn/detail/441419. No additional mitigation steps or patches are detailed in the NVD entry beyond the affected version range.
This marks the first public record for the vulnerability.

The weakness is classified as CWE-22. Lenovo lists the product status as affected for versions below the fixed build and unaffected for 9.0.2930.0514 and later.
This marks the first public record for the vulnerability. Users of the China-specific Lenovo App Store on Windows should monitor the referenced advisory for update instructions.
Why this mattersAI · ~100 words

Tap a lens to see what this story means for you.

Reader-supported
DonateBuy me a coffee →Follow@thecircuitry_ →Follow@thecircuitry.to →

Reader-supported · The Brief

Liked this? The Brief brings you the whole day in tech, verified, every morning. Two minutes, free forever.

HELP US IMPROVE
From The Circuitry

See what’s happening right now

The Feed runs all day — short, verified briefs the moment they break.

Open the Feed →
From The Circuitry

Follow @thecircuitry_

Every story we publish, as it happens. No noise between.

Follow on X ↗On Bluesky ↗

Reader-supported

The Circuitry is a passion project I've always wanted to build, and I love the work behind it.

Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.

Any contribution is appreciated. If not, no pressure. Thanks for reading.

Buy me a coffee
vulnerabilityLenovosecurity
More fromNVD
  • Critical RCE Flaw in Windows GDI+ Carries 9.6 CVSS Score

    Tech · 1d
More inTech
  • CISA Catalogs Fortinet FortiSandbox Flaw CVE-2026-39808 in KEV Catalog

    Tech · 1h
  • TSMC profit surges 77% as Arizona spending swells by $100 billion

    Tech · 6h
  • China's CXMT Doubles IPO Target to $8.55 Billion

    Tech · 22h
SupportThe Work

The Circuitry is reader-supported. If you find the daily brief useful, you can buy me a coffee to keep it going.

Buy a coffee →
SubscribeCircuitry Brief

Liked this? The Brief brings you the whole day in tech, verified, every morning. Free forever.

MORE IN TECH

CISA Catalogs Fortinet FortiSandbox Flaw CVE-2026-39808 in KEV Catalog

CISA added the Fortinet FortiSandbox OS command injection vulnerability CVE-2026-39808 to its Known Exploited Vulnerabilities catalog on 2026-07-16. Federal agencies have until 2026-07-19 to apply vendor mitigations under BOD 26-04 or discontinue use if patches are unavailable.

TSMC profit surges 77% as Arizona spending swells by $100 billion

TSMC posted a 77.4% year-on-year profit increase to NT$706.56 billion and raised its capital spending outlook while announcing another $100 billion for Arizona fabs. The results underscore sustained AI demand that now dominates 66% of its platform revenue.

China's CXMT Doubles IPO Target to $8.55 Billion

ChangXin Memory Technologies expects to raise 57.9 billion yuan ($8.55 billion) in its Shanghai STAR Market IPO after doubling its original target. The world's fourth-largest DRAM chipmaker will list on July 27, advancing China's push for semiconductor self-reliance.