Path Traversal Vulnerability in Coursevault-Preview by Moritz Myrz
CVE-2026-35613

5.1MEDIUM

Key Information:

Vendor: Moritzmyrz
Status: Coursevault-preview
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-35613?

The coursevault-preview utility allows users to preview course material files from a defined directory. However, prior to version 0.1.1, it contains a path traversal vulnerability in the 'resolveSafe' method. This flaw arises from an inadequate boundary check that relies on String.prototype.startsWith(baseDir), failing to properly restrict file access to the designated directory. An attacker can exploit this vulnerability by manipulating the relativePath argument, potentially granting unauthorized access to files outside of the baseDir, especially if a sibling directory's name shares a common prefix. Users are advised to upgrade to version 0.1.1 or later to mitigate this risk.

Affected Version(s)

coursevault-preview < 0.1.1

References

https://github.com/moritzmyrz/coursevault-preview/securit...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35613 Data

JSON

Moritzmyrz

What is CVE-2026-35613?

Affected Version(s)

References

CVSS V3.1

Timeline