{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35613", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T21:25:12.163Z", "datePublished": "2026-04-07T16:39:44.237Z", "dateUpdated": "2026-04-09T16:18:16.501Z"}, "containers": {"cna": {"title": "Path traversal in coursevault-preview due to improper base-directory boundary validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/moritzmyrz/coursevault-preview/security/advisories/GHSA-9h9m-rr67-9jpg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/moritzmyrz/coursevault-preview/security/advisories/GHSA-9h9m-rr67-9jpg"}], "affected": [{"vendor": "moritzmyrz", "product": "coursevault-preview", "versions": [{"version": "< 0.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:39:44.237Z"}, "descriptions": [{"lang": "en", "value": "coursevault-preview is a utility for previewing course material files from a configured directory. coursevault-preview versions prior to 0.1.1 contain a path traversal vulnerability in the resolveSafe utility. The boundary check used String.prototype.startsWith(baseDir) on a normalized path, which does not enforce a directory boundary. An attacker who controls the relativePath argument to affected CoursevaultPreview methods may be able to read files outside the configured baseDir when a sibling directory exists whose name shares the same string prefix. This vulnerability is fixed in 0.1.1."}], "source": {"advisory": "GHSA-9h9m-rr67-9jpg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T15:08:47.329674Z", "id": "CVE-2026-35613", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:18:16.501Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35613", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T15:08:47.329674Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:08:50.724Z"}}], "cna": {"title": "Path traversal in coursevault-preview due to improper base-directory boundary validation", "source": {"advisory": "GHSA-9h9m-rr67-9jpg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "moritzmyrz", "product": "coursevault-preview", "versions": [{"status": "affected", "version": "< 0.1.1"}]}], "references": [{"url": "https://github.com/moritzmyrz/coursevault-preview/security/advisories/GHSA-9h9m-rr67-9jpg", "name": "https://github.com/moritzmyrz/coursevault-preview/security/advisories/GHSA-9h9m-rr67-9jpg", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "coursevault-preview is a utility for previewing course material files from a configured directory. coursevault-preview versions prior to 0.1.1 contain a path traversal vulnerability in the resolveSafe utility. The boundary check used String.prototype.startsWith(baseDir) on a normalized path, which does not enforce a directory boundary. An attacker who controls the relativePath argument to affected CoursevaultPreview methods may be able to read files outside the configured baseDir when a sibling directory exists whose name shares the same string prefix. This vulnerability is fixed in 0.1.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:39:44.237Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35613", "state": "PUBLISHED", "dateUpdated": "2026-04-09T16:18:16.501Z", "dateReserved": "2026-04-03T21:25:12.163Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T16:39:44.237Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moritzmyrz:coursevault-preview:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FBD01254-D83E-43FE-B695-5ADF82D00EDD", "versionEndExcluding": "0.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "coursevault-preview is a utility for previewing course material files from a configured directory. coursevault-preview versions prior to 0.1.1 contain a path traversal vulnerability in the resolveSafe utility. The boundary check used String.prototype.startsWith(baseDir) on a normalized path, which does not enforce a directory boundary. An attacker who controls the relativePath argument to affected CoursevaultPreview methods may be able to read files outside the configured baseDir when a sibling directory exists whose name shares the same string prefix. This vulnerability is fixed in 0.1.1."}], "id": "CVE-2026-35613", "lastModified": "2026-05-01T18:59:48.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-07T17:16:35.583", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/moritzmyrz/coursevault-preview/security/advisories/GHSA-9h9m-rr67-9jpg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "coursevault-preview", "source": "cna", "vendor": "moritzmyrz"}, "product": "coursevault-preview", "vendor": "moritzmyrz"}], "analysis": {"en": {"generated_at": "2026-04-07T23:49:45.495413+00:00", "value": {"mitigation_remediation": ["Upgrade Coursevault\u2011Preview to version 0.1.1 or later.", "If an upgrade is not immediately possible, restrict access to the utility so that only trusted users or internal processes can provide relative path inputs, and/or place the service behind a firewall or network segmentation to limit exposure to untrusted networks."], "summary": {"action": "Immediate Patch", "impact": "Information disclosure via path traversal"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Coursevault\u2011Preview utility released by Moritzmyrz. All releases older than version 0.1.1 are impacted; version 0.1.1 and later contain the fix and are not vulnerable. No further version granularity is provided in the advisory.", "description_and_impact": "coursevault-preview is a utility that opens course material from a predefined base directory. In versions before 0.1.1 the function that resolves paths performs a check by normalizing the supplied relative path and then testing whether the resulting string starts with the base directory string using String.prototype.startsWith. This method does not enforce a directory boundary, allowing a path that begins with the base directory prefix but points to a sibling directory whose name shares that prefix. An attacker who can influence the relativePath argument to any susceptible CoursevaultPreview method may read files located outside the intended base directory, potentially exposing sensitive course content or configuration files. The weakness corresponds to CWE\u201122, Files and Directories Path Traversal.", "risk_and_exploitability": "The CVSS score of 5.1 denotes a medium severity. No EPSS score is available, so the exploitation likelihood cannot be accurately assessed. The vulnerability is not listed in the CISA KEV catalog, indicating that it is currently not known to be exploited at scale. The likely attack vector is any channel that allows a user to supply a relative path to CoursevaultPreview, such as a web interface, API endpoint, or command\u2011line argument. If the utility is exposed over a network, a remote attacker could craft the path; if it is only available locally, a user with local access to the tool could exploit it. The impact is the disclosure of files outside the configured directory, which could lead to confidential data exposure."}}}}, "created": "2026-04-08T19:36:45.976525+00:00", "updated": "2026-04-08T19:47:49.367333+00:00", "vendors": ["moritzmyrz", "moritzmyrz$PRODUCT$coursevault-preview"]}