Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-qmj2-8r24-xxcq

HIGH

OpenList vulnerable to Path Traversal in file copy and remove handlers

Also known asCVE-2026-25059GO-2026-4396
Published
Feb 2, 2026
Updated
Feb 5, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.6%probability of exploitation in next 30 days
Lower Risk44th percentile+0.57%
0.00%0.37%0.73%1.10%0.0%0.0%0.0%0.0%0.6%Mar 26May 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐹github.com/OpenListTeam/OpenList/v4

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount.

Details

The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. This allows ".." sequences to bypass path restrictions, enabling users to access other users' files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files.

FsRemove:

func FsRemove(c *gin.Context) {
	// ...
	for _, name := range req.Names {
		err := fs.Remove(c, stdpath.Join(reqDir, name))

FsCopy:

func FsCopy(c *gin.Context) {
	// ...
	if !req.Overwrite {
		for _, name := range req.Names {
			if res, _ := fs.Get(c.Request.Context(), stdpath.Join(dstDir, name), &fs.GetArgs{NoLog: true}); res != nil {

PoC

Scenario:​ A normal user ("alice") bypasses directory restrictions to read files outside her authorized path.

Environment setup:

  • Local storage mount as '/local'.
  • An admin file "adminsecret.txt" is placed under /local
  • Alice has base path '/local/alice'.

https://github.com/user-attachments/assets/5d73bbec-29e5-4c52-8af3-4c70b26d9d0e

Impact

This vulnerability enables privilege escalation within shared storage environments. An authenticated attacker with basic file operation permissions (remove/copy) can bypass directory-level authorisation controls when multiple users exist within the same storage mount.

Attack Requirements:

  • Authenticated user account (not guest)
  • Basic file operation permissions (remove/copy)
  • Multi-user environment within the same storage mount
  • Knowledge (or ability to guess) the target file's name and path

Consequences:

  • Unauthorised data access: Read, copy, and exfiltrate files from other users' directories
  • Data destruction: Delete files belonging to other users

Note

This vulnerability was discovered by:

  • XlabAI Team of Tencent Xuanwu Lab
  • Atuin Automated Vulnerability Discovery Engine

CVE and credit are preferred.

If users have any questions regarding the vulnerability details, please feel free to reach out for further discussion. Email [email protected].

The security industry standard 90+30 disclosure policy is followed. Should the aforementioned vulnerabilities remain unfixed after 90 days of submission, all information about the issues will be publicly disclosed.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/OpenListTeam/OpenList/v4all versions4.1.10

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/OpenListTeam/OpenList/v4. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update github.com/OpenListTeam/OpenList/v4 to 4.1.10 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-qmj2-8r24-xxcq is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-qmj2-8r24-xxcq is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-qmj2-8r24-xxcq. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount. ### Details The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers in *server/handles/fsmanage.go*. Filename components in `req.Names` are directly concatenated with validated directories using `stdpath.Join`. Th
O3 Security · Impact-Aware SCA

Is GHSA-qmj2-8r24-xxcq in your dependencies?

O3 detects GHSA-qmj2-8r24-xxcq across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works