| id: GO-2026-4396 |
| modules: |
| - module: github.com/OpenListTeam/OpenList |
| vulnerable_at: 1.0.6 |
| - module: github.com/OpenListTeam/OpenList/v3 |
| vulnerable_at: 3.45.0 |
| - module: github.com/OpenListTeam/OpenList/v4 |
| versions: |
| - fixed: 4.1.10 |
| vulnerable_at: 4.1.9 |
| summary: OpenList vulnerable to Path Traversal in file copy and remove handlers in github.com/OpenListTeam/OpenList |
| cves: |
| - CVE-2026-25059 |
| ghsas: |
| - GHSA-qmj2-8r24-xxcq |
| references: |
| - advisory: https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-qmj2-8r24-xxcq |
| - advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-25059 |
| - fix: https://github.com/OpenListTeam/OpenList/commit/7b78fed106382430c69ef351d43f5d09928fff14 |
| - web: https://github.com/OpenListTeam/OpenList/blob/5db2172ed681346b69ed468c73c1f01b6ed455ea/server/handles/fsmanage.go#L163-L164 |
| - web: https://github.com/OpenListTeam/OpenList/blob/5db2172ed681346b69ed468c73c1f01b6ed455ea/server/handles/fsmanage.go#L284-L285 |
| - web: https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10 |
| source: |
| id: GHSA-qmj2-8r24-xxcq |
| created: 2026-02-04T17:39:07.742062986-05:00 |
| review_status: UNREVIEWED |
