CVE-2026-25059
Published: 02 February 2026
Summary
CVE-2026-25059 is a high-severity Path Traversal (CWE-22) vulnerability in Oplist Openlist. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents path traversal by requiring validation of filename inputs in file operation handlers to block '..' sequences from escaping validated directories.
AC-3 enforces approved access control policies on file operations, mitigating unauthorized cross-user file access even if path traversal payloads are processed.
SI-2 ensures timely flaw remediation through patching, directly addressing the specific path traversal vulnerability fixed in OpenList 4.1.10.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal bypasses directory authorization in file ops, directly enabling privilege escalation (T1068) via unauthorized access to other users' files, data collection from local storage (T1005), and file deletion (T1070.004).
NVD Description
OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. This allows ".." sequences…
more
to bypass path restrictions, enabling users to access other users' files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount. This vulnerability is fixed in 4.1.10.
Deeper analysisAI
CVE-2026-25059 is a path traversal vulnerability (CWE-22) in OpenList Frontend, a UI component for OpenList, affecting versions prior to 4.1.10. The flaw exists in multiple file operation handlers within server/handles/fsmanage.go, where filename components from req.Names are directly concatenated with validated directories using stdpath.Join. This permits ".." sequences to bypass path restrictions, allowing access to files outside intended directories.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation enables bypassing directory-level authorization by injecting traversal sequences into filename components, granting access to other users' files within the same storage mount for unauthorized actions including deletion, renaming, or copying.
The vulnerability is fixed in OpenList version 4.1.10. Mitigation involves updating to this patched release, with details available in the fix commit at https://github.com/OpenListTeam/OpenList/commit/7b78fed106382430c69ef351d43f5d09928fff14, the release notes at https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10, and the GitHub security advisory at https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-qmj2-8r24-xxcq.
Details
- CWE(s)