Platform
go
Component
github.com/openlistteam/openlist
Fixed in
4.1.11
4.1.10
CVE-2026-25059 describes a Path Traversal vulnerability discovered in OpenList, a Go-based application. This flaw allows attackers to potentially read sensitive files on the server by manipulating file copy and removal operations. The vulnerability impacts versions of OpenList before 4.1.10, and a patch is available in version 4.1.10.
The Path Traversal vulnerability in OpenList allows an attacker to bypass intended file system restrictions. By crafting malicious requests, an attacker can manipulate the file copy and remove handlers to access files outside of the intended directory. This could lead to the exposure of sensitive configuration files, source code, or even user data. The potential impact ranges from information disclosure to complete system compromise, depending on the files accessible and the privileges of the application user. Successful exploitation could enable an attacker to gain a deeper understanding of the application's internal workings and identify further vulnerabilities.
CVE-2026-25059 was publicly disclosed on 2026-02-05. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The CVSS score of 8.8 indicates a high probability of exploitation if left unpatched.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25059 is to upgrade OpenList to version 4.1.10 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing stricter input validation on file paths used in the copy and remove handlers. Employing a Web Application Firewall (WAF) with path traversal protection rules can also help block malicious requests. Review and restrict file system permissions for the OpenList application user to minimize the potential damage from a successful exploit.
Actualice OpenList a la versión 4.1.10 o superior. Esta versión corrige la vulnerabilidad de path traversal que permite el acceso no autorizado a archivos. La actualización se puede realizar descargando la última versión desde el sitio web oficial o utilizando el mecanismo de actualización proporcionado por la aplicación.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25059 is a Path Traversal vulnerability affecting OpenList versions before 4.1.10, allowing attackers to read arbitrary files via manipulated file copy and remove handlers.
You are affected if you are using OpenList versions prior to 4.1.10. Upgrade to the latest version to remediate the vulnerability.
Upgrade OpenList to version 4.1.10 or later. As a temporary workaround, implement stricter input validation and consider using a WAF.
There are currently no confirmed reports of active exploitation, but the high CVSS score suggests a potential for exploitation if left unpatched.
Refer to the OpenList project's official repository and release notes for the advisory and detailed information regarding the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.