CVE-2025-49466

Name of the Vulnerable Software and Affected Versions aerc versions before 93bec0d

Description The issue allows directory traversal in the commands/msgview/open.go file due to direct path concatenation of the name of an attachment part. This is caused by the lack of proper validation of attachment names, which can lead to unauthorized access to files outside the intended directory.

Recommendations For versions before 93bec0d, consider restricting access to the open.go file in the commands/msgview directory until a patch is available. As a temporary workaround, avoid using the open command for attachments to minimize the risk of exploitation. Update to a version after 93bec0d to resolve the issue.