Ruizhe

**Name of the Vulnerable Software and Affected Versions** Tiny-Scientist versions 0.1.1 and below **Description** Tiny-Scientist is a lightweight framework for automating the entire lifecycle of scientific research. A path traversal vulnerability has been identified in the `review paper` function in `backend/app.py`. This allows malicious users to access arbitrary PDF files on the server by providing crafted file paths that bypass security restrictions. Attackers can read any PDF file accessible to the server process, potentially accessing sensitive documents and performing reconnaissance on the server's file system structure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.