CVE-2026-42564 - Vulnerability Details - OpenCVE

jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/[filename]. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside data/uploads/app-icons/. This vulnerability is fixed in 1.22.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Fccview	Jotty

No data.

No data.

References

Link	Providers
https://github.com/fccview/jotty/security/advisories/GHSA-7843-gwq8-g96f

History

Tue, 12 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fccview Fccview jotty
Vendors & Products		Fccview Fccview jotty

Mon, 11 May 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/[filename]. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside data/uploads/app-icons/. This vulnerability is fixed in 1.22.0.
Title		jotty·page: Unauthenticated Path Traversal leads to sensitive file disclosure and session-token reuse impact
Weaknesses		CWE-200 CWE-22
References		https://github.com/fccview/jotty/security/advisories/GHSA-7843-gwq8-g96f
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-11T21:17:41.624Z

Updated: 2026-05-12T16:40:55.181Z

Reserved: 2026-04-28T17:26:12.084Z

Link: CVE-2026-42564

Vulnrichment

Updated: 2026-05-12T16:40:49.853Z

NVD

Status : Deferred

Published: 2026-05-11T22:22:11.417

Modified: 2026-05-13T17:31:40.840

Link: CVE-2026-42564

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-42564", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-28T17:26:12.084Z", "datePublished": "2026-05-11T21:17:41.624Z", "dateUpdated": "2026-05-12T16:40:55.181Z"}, "containers": {"cna": {"title": "jotty\u00b7page: Unauthenticated Path Traversal leads to sensitive file disclosure and session-token reuse impact", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/fccview/jotty/security/advisories/GHSA-7843-gwq8-g96f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fccview/jotty/security/advisories/GHSA-7843-gwq8-g96f"}], "affected": [{"vendor": "fccview", "product": "jotty", "versions": [{"version": "< 1.22.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-11T21:17:41.624Z"}, "descriptions": [{"lang": "en", "value": "jotty\u00b7page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/[filename]. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside data/uploads/app-icons/. This vulnerability is fixed in 1.22.0."}], "source": {"advisory": "GHSA-7843-gwq8-g96f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-12T16:40:42.992349Z", "id": "CVE-2026-42564", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-12T16:40:55.181Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-42564", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-28T17:26:12.084Z", "datePublished": "2026-05-11T21:17:41.624Z", "dateUpdated": "2026-05-12T16:40:55.181Z"}, "containers": {"cna": {"title": "jotty\u00b7page: Unauthenticated Path Traversal leads to sensitive file disclosure and session-token reuse impact", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/fccview/jotty/security/advisories/GHSA-7843-gwq8-g96f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fccview/jotty/security/advisories/GHSA-7843-gwq8-g96f"}], "affected": [{"vendor": "fccview", "product": "jotty", "versions": [{"version": "< 1.22.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-11T21:17:41.624Z"}, "descriptions": [{"lang": "en", "value": "jotty\u00b7page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/[filename]. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside data/uploads/app-icons/. This vulnerability is fixed in 1.22.0."}], "source": {"advisory": "GHSA-7843-gwq8-g96f", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-42564", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-12T16:40:42.992349Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-12T16:40:49.853Z"}}]}}