Description
OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. This allows ".." sequences to bypass path restrictions, enabling users to access other users' files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount. This vulnerability is fixed in 4.1.10.
Published: 2026-02-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Access and Modification
Action: Upgrade
AI Analysis

Impact

A path traversal vulnerability in OpenList’s file operation handlers allows an attacker with authenticated access to craft filenames containing ".." sequences, bypassing validated directory restrictions. This flaw enables reading, deleting, renaming, or copying files belonging to other users within the same storage mount, compromising confidentiality, integrity, and potentially availability of those files.

Affected Systems

All OpenList releases prior to version 4.1.10 are affected. The vulnerability resides in the OpenList frontend component, specifically in the file management handlers under server/handles/fsmanage.go. The affected vendor is OpenListTeam, product OpenList. Users running any version before 4.1.10 should consider themselves at risk if they provide authenticated file manipulation capabilities.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at the time of this analysis. The flaw is classified as CWE‑22 (Path Traversal) and requires an authenticated attacker who can invoke the file copy or remove endpoints. Once authenticated, the attacker can inject traversal sequences into filename components, thereby bypassing directory-level authorization and performing unauthorized file operations across user boundaries. The vulnerability is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 18, 2026 at 00:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenList to version 4.1.10 or later to apply the official patch that removes the path traversal flaw.
  • If an immediate upgrade is infeasible, add strict server‑side validation to strip or reject any ".." sequences from filename components before they are processed by the file copy or remove handlers.
  • Implement per‑user storage isolation or mount segregation so that even if traversal occurs, it cannot reach files owned by other users, adding an additional layer of protection.

Generated by OpenCVE AI on April 18, 2026 at 00:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qmj2-8r24-xxcq OpenList vulnerable to Path Traversal in file copy and remove handlers
History

Mon, 23 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Oplist
Oplist openlist
CPEs cpe:2.3:a:oplist:openlist:*:*:*:*:*:*:*:*
Vendors & Products Oplist
Oplist openlist

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Openlistteam
Openlistteam openlist
Vendors & Products Openlistteam
Openlistteam openlist

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. This allows ".." sequences to bypass path restrictions, enabling users to access other users' files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount. This vulnerability is fixed in 4.1.10.
Title OpenList affected by Path Traversal in file copy and remove handlers
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Openlistteam Openlist
Oplist Openlist
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:53:37.480Z

Reserved: 2026-01-28T14:50:47.889Z

Link: CVE-2026-25059

cve-icon Vulnrichment

Updated: 2026-02-04T15:54:31.024Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:08.753

Modified: 2026-02-23T17:35:20.183

Link: CVE-2026-25059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses