The cloudstore.file.upload action in server/actions/action cloudstore file upload.go writes user-supplied filenames directly to disk without proper validation.

This allows unauthenticated attackers to perform path traversal and zip slip attacks, leading to arbitrary file write and potential remote code execution.

CVSS Score: 10.0 Critical CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H CWE: CWE-22 (Path Traversal)

Upgrade to a patched version once released. The vulnerability affects all versions <= v0.11.3 (latest).

Restrict access to the cloudstore.file.upload action through authentication and authorization controls until a patch is available.