Cyber Resilience

CVE-2026-25059

HighPublic PoC

Published: 02 February 2026

Published
02 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0060 44.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25059 is a high-severity Path Traversal (CWE-22) vulnerability in Oplist Openlist. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 44.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25059 is a path traversal vulnerability (CWE-22) in OpenList Frontend, a UI component for OpenList, affecting versions prior to 4.1.10. The flaw exists in multiple file operation handlers within server/handles/fsmanage.go, where filename components from req.Names are directly concatenated with validated directories using stdpath.Join. This permits ".." sequences to bypass path restrictions, allowing access to files outside intended directories.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation enables bypassing directory-level authorization by injecting traversal sequences into filename components, granting access to other users' files within the same storage mount for unauthorized actions including deletion, renaming, or copying.

The vulnerability is fixed in OpenList version 4.1.10. Mitigation involves updating to this patched release, with details available in the fix commit at https://github.com/OpenListTeam/OpenList/commit/7b78fed106382430c69ef351d43f5d09928fff14, the release notes at https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10, and the GitHub security advisory at https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-qmj2-8r24-xxcq.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. This allows ".." sequences…

more

to bypass path restrictions, enabling users to access other users' files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount. This vulnerability is fixed in 4.1.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Path traversal bypasses directory authorization in file ops, directly enabling privilege escalation (T1068) via unauthorized access to other users' files, data collection from local storage (T1005), and file deletion (T1070.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25060Same product: Oplist Openlist
CVE-2026-7252Shared CWE-22
CVE-2025-48636Shared CWE-22
CVE-2025-30005Shared CWE-22
CVE-2026-3243Shared CWE-22
CVE-2026-32711Shared CWE-22
CVE-2026-33493Shared CWE-22
CVE-2023-52953Shared CWE-22
CVE-2025-70084Shared CWE-22
CVE-2026-3464Shared CWE-22

Affected Assets

oplist
openlist
≤ 4.1.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents path traversal by requiring validation of filename inputs in file operation handlers to block '..' sequences from escaping validated directories.

prevent

AC-3 enforces approved access control policies on file operations, mitigating unauthorized cross-user file access even if path traversal payloads are processed.

prevent

SI-2 ensures timely flaw remediation through patching, directly addressing the specific path traversal vulnerability fixed in OpenList 4.1.10.

References