Skip to main content

Coursevault Preview CVE-2026-35613

| EUVDEUVD-2026-19790 MEDIUM
Path Traversal (CWE-22)
2026-04-07 GitHub_M GHSA-9h9m-rr67-9jpg
5.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 17:00 euvd
EUVD-2026-19790
Analysis Generated
Apr 07, 2026 - 17:00 vuln.today
CVE Published
Apr 07, 2026 - 16:39 nvd
MEDIUM 5.1

DescriptionGitHub Advisory

coursevault-preview is a utility for previewing course material files from a configured directory. coursevault-preview versions prior to 0.1.1 contain a path traversal vulnerability in the resolveSafe utility. The boundary check used String.prototype.startsWith(baseDir) on a normalized path, which does not enforce a directory boundary. An attacker who controls the relativePath argument to affected CoursevaultPreview methods may be able to read files outside the configured baseDir when a sibling directory exists whose name shares the same string prefix. This vulnerability is fixed in 0.1.1.

AnalysisAI

Path traversal in coursevault-preview versions before 0.1.1 allows local attackers without authentication to read arbitrary files outside the configured base directory by exploiting a flawed boundary check in the resolveSafe utility. The vulnerability exists because the code uses String.prototype.startsWith() to validate normalized paths, which fails to enforce proper directory boundaries when sibling directories share the same string prefix. This enables disclosure of sensitive files on systems where the application is installed.

Technical ContextAI

coursevault-preview is a Node.js utility for safely previewing course material files from a configured directory. The vulnerability resides in the resolveSafe path normalization function, which implements CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The root cause is insufficient directory boundary enforcement: the code normalizes the provided relativePath and then checks if it starts with the baseDir string using startsWith(). This approach fails because string prefix matching does not account for directory separators. For example, if baseDir is '/course' and a sibling directory '/course_backup' exists, an attacker can construct a path like '../course_backup/../../../etc/passwd' that, after normalization, may begin with the '/course' prefix but actually reference files outside the intended boundary. The affected product is identified by CPE cpe:2.3:a:moritzmyrz:coursevault-preview:*:*:*:*:*:*:*:*, indicating all versions prior to 0.1.1 are vulnerable.

RemediationAI

Vendor-released patch: upgrade to coursevault-preview version 0.1.1 or later, which corrects the path traversal flaw by implementing proper directory boundary enforcement in the resolveSafe utility. Update your package via npm using 'npm install coursevault-preview@latest' or by explicitly specifying version 0.1.1 or higher in your package.json. If immediate upgrade is not feasible, review application deployments to ensure coursevault-preview operates with minimal file system exposure, restrict the baseDir to a dedicated directory tree without sibling directories containing sensitive data, and monitor for any unauthorized file access attempts in application logs. Consult the GitHub Security Advisory (https://github.com/moritzmyrz/coursevault-preview/security/advisories/GHSA-9h9m-rr67-9jpg) for additional context and patching timeline details.

Share

CVE-2026-35613 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy