CVE-2026-42564

HIGH

8.2CVSS v3

—CVSS v2

0.07% EPSS (exploit probability)

CWE-22CWE

Description

jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/[filename]. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside data/uploads/app-icons/. This vulnerability is fixed in 1.22.0.

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Affected routers (0)

No routers currently mapped to this CVE in our database.

External references

NIST NVD
MITRE CVE