CVE-2026-25059 – OpenList Frontend versions before 4.1.10 contai... (How to Fix)

Q: What is the severity of CVE-2026-25059?

CVE-2026-25059 has a CVSS score of 8.8 (HIGH). OpenList Frontend versions before 4.1.10 contain a path traversal vulnerability in file operation handlers that allows authenticated attackers to bypass directory restrictions. By injecting '..' sequences into filename parameters, attackers can access, delete, rename, or copy other users' files within the same storage mount. This affects all deployments using vulnerable versions of OpenList Frontend.

📋 TL;DR

OpenList Frontend versions before 4.1.10 contain a path traversal vulnerability in file operation handlers that allows authenticated attackers to bypass directory restrictions. By injecting '..' sequences into filename parameters, attackers can access, delete, rename, or copy other users' files within the same storage mount. This affects all deployments using vulnerable versions of OpenList Frontend.

💻 Affected Systems

Products:

OpenList Frontend

Versions: All versions prior to 4.1.10

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the vulnerable file operation handlers. All deployments with the vulnerable code are affected regardless of configuration.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all user data within the storage mount, including deletion of critical files, data exfiltration, and potential privilege escalation if system files are accessible.

🟠

Likely Case

Unauthorized access to other users' files, data theft, and potential data destruction through file deletion or corruption.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent authenticated attackers from reaching vulnerable endpoints.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple - just requires path traversal sequences in filename parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.10

Vendor Advisory: https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-qmj2-8r24-xxcq

Restart Required: Yes

Instructions:

1. Backup your configuration and data. 2. Stop the OpenList Frontend service. 3. Update to version 4.1.10 or later. 4. Restart the service. 5. Verify the fix is applied.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement middleware or proxy that validates and sanitizes filename parameters before they reach the vulnerable handlers.

Access Restriction

all

Restrict network access to the vulnerable endpoints using firewall rules or network segmentation.

🧯 If You Can't Patch

Implement strict network segmentation to isolate the vulnerable component from sensitive data and other users
Deploy a web application firewall (WAF) with path traversal detection rules

🔍 How to Verify

Check if Vulnerable:

Check if OpenList Frontend version is below 4.1.10. Review server/handles/fsmanage.go for the vulnerable path concatenation pattern.

Check Version:

Check the application version in the web interface or configuration files, or run the application with --version flag if available.

Verify Fix Applied:

Verify version is 4.1.10 or later. Check that the commit 7b78fed106382430c69ef351d43f5d09928fff14 is applied in the codebase.

📡 Detection & Monitoring

Log Indicators:

File operations with '..' sequences in filenames
Unauthorized file access patterns across user directories
Failed authorization attempts on file operations

Network Indicators:

HTTP requests to file operation endpoints with path traversal sequences in parameters

SIEM Query:

source="openlist" AND (filename="*..*" OR path="*..*")

📊 Metadata

CVE ID: CVE-2026-25059

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy