CVE-2026-35613

Name of the Vulnerable Software and Affected Versions coursevault-preview versions prior to 0.1.1

Description coursevault-preview is a utility for previewing course material files from a configured directory. The software contains a path traversal issue in the resolveSafe utility. The boundary check uses String.prototype.startsWith(baseDir) on a normalized path, which does not enforce a directory boundary. An attacker controlling the relativePath argument to affected CoursevaultPreview methods may be able to read files outside the configured baseDir if a sibling directory exists with a matching string prefix.

Recommendations Update to version 0.1.1 or later.