Description
jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/[filename]. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside data/uploads/app-icons/. This vulnerability is fixed in 1.22.0.
Published: 2026-05-11
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic unauthenticated path traversal flaw defined by CWE‑22, which permits the reading of files located outside the intended data/uploads/app‑icons directory. Because there is no traversal or boundary validation on the filename parameter in the /api/app-icons/[filename] endpoint, an attacker can retrieve arbitrary files on the host. This leads to confidential data exposure and the reuse of session tokens, undermining the integrity and confidentiality of user sessions. The flaw is identified as CWE‑200, further reinforcing the risk of sensitive information disclosure.

Affected Systems

The issue affects the self-hosted jotty·page application from fccview, specifically versions earlier than 1.22.0. The vulnerable API endpoint is /api/app-icons/[filename] used to serve application icons for checklists and notes.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity. Because no authentication is required, the attack vector is trivial for anyone able to issue HTTP requests to the target endpoint. The EPSS score is not available, but the lack of an authentication requirement and the straightforward string manipulation suggest a high likelihood of exploitation. The vulnerability is not listed in CISA KEV, but it warrants immediate attention due to its potential impact.

Generated by OpenCVE AI on May 11, 2026 at 23:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to jotty version 1.22.0 or later, which fixes the path traversal bug.
  • If an upgrade cannot be performed immediately, restrict access to the /api/app-icons/ endpoint using firewall or web‑server rules, allowing only trusted hosts or authenticated users to reach it.
  • Modify the backend code to validate the filename parameter against directory traversal attempts (e.g., reject any path containing '..' components) before constructing the filesystem path.
  • Monitor HTTP logs for suspicious requests targeting the /api/app-icons/ endpoint to detect exploitation attempts.

Generated by OpenCVE AI on May 11, 2026 at 23:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/[filename]. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside data/uploads/app-icons/. This vulnerability is fixed in 1.22.0.
Title jotty·page: Unauthenticated Path Traversal leads to sensitive file disclosure and session-token reuse impact
Weaknesses CWE-200
CWE-22
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T21:17:41.624Z

Reserved: 2026-04-28T17:26:12.084Z

Link: CVE-2026-42564

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T22:22:11.417

Modified: 2026-05-11T22:22:11.417

Link: CVE-2026-42564

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:45:03Z

Weaknesses