プラットフォーム
go
コンポーネント
github.com/openlistteam/openlist
修正版
4.1.11
4.1.10
CVE-2026-25059 describes a Path Traversal vulnerability discovered in OpenList, a Go-based application. This flaw allows attackers to potentially read sensitive files on the server by manipulating file copy and removal operations. The vulnerability impacts versions of OpenList before 4.1.10, and a patch is available in version 4.1.10.
The Path Traversal vulnerability in OpenList allows an attacker to bypass intended file system restrictions. By crafting malicious requests, an attacker can manipulate the file copy and remove handlers to access files outside of the intended directory. This could lead to the exposure of sensitive configuration files, source code, or even user data. The potential impact ranges from information disclosure to complete system compromise, depending on the files accessible and the privileges of the application user. Successful exploitation could enable an attacker to gain a deeper understanding of the application's internal workings and identify further vulnerabilities.
CVE-2026-25059 was publicly disclosed on 2026-02-05. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The CVSS score of 8.8 indicates a high probability of exploitation if left unpatched.
Organizations deploying OpenList in production environments, particularly those with sensitive data stored or processed by the application, are at risk. Environments with weak file system permissions or inadequate input validation are especially vulnerable. Shared hosting environments where multiple users share the same server instance should also be considered at higher risk.
• go / server: Inspect application logs for unusual file access patterns or attempts to access files outside of the expected directories. Look for requests containing ../ sequences in file paths.
grep '../' /var/log/openlist/access.log• generic web: Monitor web server access logs for requests targeting file copy or removal endpoints with suspicious parameters. Use a WAF to block requests containing path traversal sequences.
curl -I 'http://your-openlist-server/copy?file=../../../../etc/passwd'• generic web: Check response headers for unexpected content types or file extensions when accessing file copy/remove endpoints. A successful path traversal might return a sensitive file with an incorrect content type.
disclosure
エクスプロイト状況
EPSS
0.03% (7% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-25059 is to upgrade OpenList to version 4.1.10 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing stricter input validation on file paths used in the copy and remove handlers. Employing a Web Application Firewall (WAF) with path traversal protection rules can also help block malicious requests. Review and restrict file system permissions for the OpenList application user to minimize the potential damage from a successful exploit.
Actualice OpenList a la versión 4.1.10 o superior. Esta versión corrige la vulnerabilidad de path traversal que permite el acceso no autorizado a archivos. La actualización se puede realizar descargando la última versión desde el sitio web oficial o utilizando el mecanismo de actualización proporcionado por la aplicación.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-25059 is a Path Traversal vulnerability affecting OpenList versions before 4.1.10, allowing attackers to read arbitrary files via manipulated file copy and remove handlers.
You are affected if you are using OpenList versions prior to 4.1.10. Upgrade to the latest version to remediate the vulnerability.
Upgrade OpenList to version 4.1.10 or later. As a temporary workaround, implement stricter input validation and consider using a WAF.
There are currently no confirmed reports of active exploitation, but the high CVSS score suggests a potential for exploitation if left unpatched.
Refer to the OpenList project's official repository and release notes for the advisory and detailed information regarding the fix.
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。