Highpixelmaxqm

**Name of the Vulnerable Software and Affected Versions** gin-vue-admin versions 2.6.1 and earlier **Description** The issue is a code injection vulnerability in the backend of gin-vue-admin, specifically in the Plugin System -> Plugin Template feature. An attacker can perform directory traversal by manipulating the `plugName` parameter, allowing them to create specific folders and insert arbitrary code into Go files within those folders. The vulnerability exists due to the controllability of the `plugName` field within the struct. **Recommendations** For gin-vue-admin version 2.6.1, update to a version that contains the patch for this issue, specifically pseudoversion 0.0.0-20240409100909-b1b7427c6ea6 or later. As a temporary workaround for versions prior to the fixed version, consider using a filtering method to rectify the directory traversal problem, such as checking for the presence of ".." in the `plugPath` variable.