CVE-2026-25059: OpenList vulnerable to Path Traversal in file copy and remove handlers
(updated )
The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount.
References
- github.com/OpenListTeam/OpenList
- github.com/OpenListTeam/OpenList/blob/5db2172ed681346b69ed468c73c1f01b6ed455ea/server/handles/fsmanage.go
- github.com/OpenListTeam/OpenList/blob/5db2172ed681346b69ed468c73c1f01b6ed455ea/server/handles/fsmanage.go
- github.com/OpenListTeam/OpenList/commit/7b78fed106382430c69ef351d43f5d09928fff14
- github.com/OpenListTeam/OpenList/releases/tag/v4.1.10
- github.com/OpenListTeam/OpenList/security/advisories/GHSA-qmj2-8r24-xxcq
- github.com/advisories/GHSA-qmj2-8r24-xxcq
- nvd.nist.gov/vuln/detail/CVE-2026-25059
Code Behaviors & Features
Detect and mitigate CVE-2026-25059 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →