Unrated severityNVD Advisory· Published Feb 11, 2026· Updated Feb 11, 2026

Outline Affected an Arbitrary File Read via Path Traversal in JSON Import

CVE-2026-25062

Description

Outline is a service that allows for collaborative documentation. Prior to 1.4.0, during the JSON import process, the value of attachments[].key from the imported JSON is passed directly to path.join(rootPath, node.key) and then read using fs.readFile without validation. By embedding path traversal sequences such as ../ or absolute paths, an attacker can read arbitrary files on the server and import them as attachments. This vulnerability is fixed in 1.4.0.

Affected products

Outline/Outlinellm-fuzzy
Range: <1.4.0
outline/outlinev5
Range: < 1.4.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/outline/outline/releases/tag/v1.4.0mitrex_refsource_MISC
github.com/outline/outline/security/advisories/GHSA-7r4f-3wjv-83xfmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000