CVE-2026-41412

Name of the Vulnerable Software and Affected Versions alf.io versions prior to 2.0-M5-2606

Description The extension sandbox injects a fully-functional HTTP client (simpleHttpClient) into every extension script's scope. The postFileAndSaveResponse() method accepts an arbitrary filesystem path via the file parameter and reads the file contents using new FileInputStream(file) without path validation, directory restriction, or an allowlist. This allows a malicious extension script to read any file accessible to the JVM process user and exfiltrate the data to an external server via HTTP POST.

Recommendations Update to version 2.0-M5-2606.