Skip to main content

Coursevault Preview

1 CVEs product

Monthly

CVE-2026-35613 npm MEDIUM PATCH GHSA This Month

Path traversal in coursevault-preview versions before 0.1.1 allows local attackers without authentication to read arbitrary files outside the configured base directory by exploiting a flawed boundary check in the resolveSafe utility. The vulnerability exists because the code uses String.prototype.startsWith() to validate normalized paths, which fails to enforce proper directory boundaries when sibling directories share the same string prefix. This enables disclosure of sensitive files on systems where the application is installed.

Path Traversal Coursevault Preview
NVD GitHub VulDB
CVSS 3.1
5.1
EPSS
0.0%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Path traversal in coursevault-preview versions before 0.1.1 allows local attackers without authentication to read arbitrary files outside the configured base directory by exploiting a flawed boundary check in the resolveSafe utility. The vulnerability exists because the code uses String.prototype.startsWith() to validate normalized paths, which fails to enforce proper directory boundaries when sibling directories share the same string prefix. This enables disclosure of sensitive files on systems where the application is installed.

Path Traversal Coursevault Preview
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy