{"id":"CVE-2026-42564","summary":"jotty·page: Unauthenticated Path Traversal leads to sensitive file disclosure and session-token reuse impact","details":"jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/[filename]. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside data/uploads/app-icons/. This vulnerability is fixed in 1.22.0.","aliases":["GHSA-7843-gwq8-g96f"],"modified":"2026-07-08T08:13:25.406848642Z","published":"2026-05-11T21:17:41.624Z","database_specific":{"cwe_ids":["CWE-200","CWE-22"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42564.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42564.json"},{"type":"ADVISORY","url":"https://github.com/fccview/jotty/security/advisories/GHSA-7843-gwq8-g96f"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42564"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fccview/jotty","events":[{"introduced":"0"},{"fixed":"00dd9eafec1b2f80e186492dcdb836a3a1482cbf"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"1.22.0"}]}}],"versions":["1.21.1","1.21.0","1.20.0","develop","1.18.1","1.19.1","1.19.0","1.16.1","1.16.0","1.15.2","1.15.1","1.15.0","1.14.4","1.14.3","1.14.2","1.14.1","1.14.0","1.13.1","1.13.0","1.12.2","1.12.1","1.6.1","1.6.0","1.5.4","1.5.3","1.5.2","1.5.1","1.5.0","1.4.2","1.4.1","1.4.0","1.3.2","1.3.1","1.2.0","1.1.1","1.1.0","1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42564.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}]}