CVE-2026-25059

CVE-2026-25059 is a high-severity path traversal vulnerability in github.com/OpenListTeam/OpenList/v4 (go), affecting versions < 4.1.10. It is fixed in 4.1.10.

Summary

The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount.

Details

The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. This allows ".." sequences to bypass path restrictions, enabling users to access other users' files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files.

FsRemove:

func FsRemove(c *gin.Context) {
	// ...
	for _, name := range req.Names {
		err := fs.Remove(c, stdpath.Join(reqDir, name))

FsCopy:

func FsCopy(c *gin.Context) {
	// ...
	if !req.Overwrite {
		for _, name := range req.Names {
			if res, _ := fs.Get(c.Request.Context(), stdpath.Join(dstDir, name), &fs.GetArgs{NoLog: true}); res != nil {

PoC

Scenario:​ A normal user ("alice") bypasses directory restrictions to read files outside her authorized path.

Environment setup:

  • Local storage mount as '/local'.
  • An admin file "adminsecret.txt" is placed under /local
  • Alice has base path '/local/alice'.

https://github.com/user-attachments/assets/5d73bbec-29e5-4c52-8af3-4c70b26d9d0e

Note

This vulnerability was discovered by:

  • XlabAI Team of Tencent Xuanwu Lab
  • Atuin Automated Vulnerability Discovery Engine

CVE and credit are preferred.

If users have any questions regarding the vulnerability details, please feel free to reach out for further discussion. Email [email protected].

The security industry standard 90+30 disclosure policy is followed. Should the aforementioned vulnerabilities remain unfixed after 90 days of submission, all information about the issues will be publicly disclosed.

Impact

This vulnerability enables privilege escalation within shared storage environments. An authenticated attacker with basic file operation permissions (remove/copy) can bypass directory-level authorisation controls when multiple users exist within the same storage mount.

Attack Requirements:

  • Authenticated user account (not guest)
  • Basic file operation permissions (remove/copy)
  • Multi-user environment within the same storage mount
  • Knowledge (or ability to guess) the target file's name and path

Consequences:

  • Unauthorised data access: Read, copy, and exfiltrate files from other users' directories
  • Data destruction: Delete files belonging to other users

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

CVE-2026-25059 has a CVSS score of 8.8 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.1.10); upgrading removes the vulnerable code path.

Affected versions

github.com/OpenListTeam/OpenList/v4 (< 4.1.10)

Security releases

github.com/OpenListTeam/OpenList/v4 → 4.1.10 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/OpenListTeam/OpenList/v4 to 4.1.10 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-25059? CVE-2026-25059 is a high-severity path traversal vulnerability in github.com/OpenListTeam/OpenList/v4 (go), affecting versions < 4.1.10. It is fixed in 4.1.10. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is CVE-2026-25059? CVE-2026-25059 has a CVSS score of 8.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/OpenListTeam/OpenList/v4 are affected by CVE-2026-25059? github.com/OpenListTeam/OpenList/v4 (go) versions < 4.1.10 is affected.
  4. Is there a fix for CVE-2026-25059? Yes. CVE-2026-25059 is fixed in 4.1.10. Upgrade to this version or later.
  5. Is CVE-2026-25059 exploitable, and should I be worried? Whether CVE-2026-25059 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-25059 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-25059? Upgrade github.com/OpenListTeam/OpenList/v4 to 4.1.10 or later.

Other vulnerabilities in github.com/OpenListTeam/OpenList/v4

CVE-2026-25059

Stop the waste.
Protect your environment with Kodem.