CVE-2026-25059

Name of the Vulnerable Software and Affected Versions OpenList Frontend versions prior to 4.1.10

Description The OpenList Frontend application contains a path traversal flaw in multiple file operation handlers within the server/handles/fsmanage.go file. The application directly concatenates filename components from the req.Names variable with validated directories using stdpath.Join, allowing attackers to bypass path restrictions using ".." sequences. This enables authenticated attackers to access files belonging to other users within the same storage mount and perform unauthorized actions, including deletion, renaming, and copying. The vulnerable functions include FsRemove and FsCopy. An attacker can exploit this by injecting traversal sequences into filename components. The vulnerability allows privilege escalation within shared storage environments.

Recommendations Versions prior to 4.1.10: Upgrade to version 4.1.10 or later to resolve this issue.