coursevault-preview is a utility that opens course material from a predefined base directory. In versions before 0.1.1 the function that resolves paths performs a check by normalizing the supplied relative path and then testing whether the resulting string starts with the base directory string using String.prototype.startsWith. This method does not enforce a directory boundary, allowing a path that begins with the base directory prefix but points to a sibling directory whose name shares that prefix. An attacker who can influence the relativePath argument to any susceptible CoursevaultPreview method may read files located outside the intended base directory, potentially exposing sensitive course content or configuration files. The weakness corresponds to CWE‑22, Files and Directories Path Traversal.

The vulnerability affects the Coursevault‑Preview utility released by Moritzmyrz. All releases older than version 0.1.1 are impacted; version 0.1.1 and later contain the fix and are not vulnerable. No further version granularity is provided in the advisory.

The CVSS score of 5.1 denotes a medium severity. No EPSS score is available, so the exploitation likelihood cannot be accurately assessed. The vulnerability is not listed in the CISA KEV catalog, indicating that it is currently not known to be exploited at scale. The likely attack vector is any channel that allows a user to supply a relative path to CoursevaultPreview, such as a web interface, API endpoint, or command‑line argument. If the utility is exposed over a network, a remote attacker could craft the path; if it is only available locally, a user with local access to the tool could exploit it. The impact is the disclosure of files outside the configured directory, which could lead to confidential data exposure.