CVE-2026-44837

Name of the Vulnerable Software and Affected Versions view component versions 3.0.0 through 4.8.9

Description The system test entrypoint canonicalizes a user-controlled file path using File.realpath and verifies if the resolved path starts with the temporary directory path. This containment check is insufficient because sibling directories sharing the same string prefix can bypass the validation. An attacker can use the file parameter in the '/ system test entrypoint' endpoint to access and render files located in sibling directories outside the intended temporary directory. This issue is specifically scoped to the test route, which is typically mounted only when the environment is set to test mode.

Recommendations Update to version 4.9.0. As a temporary workaround, restrict access to the '/ system test entrypoint' endpoint to minimize the risk of exploitation.