HIGH SeverityCVSS 3.18.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVE-2026-42564

Last updated May 11, 2026 · Published May 11, 2026

Description

jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/[filename]. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside data/uploads/app-icons/. This vulnerability is fixed in 1.22.0.

Affected products

1 listed

fccview:jotty

Mappings

CWE

CWE-200CWE-22

CAPEC

None listed.

Research

Path traversal: how to detect and prevent itPath traversal lets attackers read or write files outside intended directories. Normalise paths, resolve them…

Training

Logging and Detection EngineeringWriting logs that actually help you find attackers - structured, contextual, actionable.
Secure File HandlingUploads, storage, and serving files without opening the door to attackers.

CVE-2026-42564

Description

Affected products

Mappings

Related