High severity8.2NVD Advisory· Published May 11, 2026· Updated May 13, 2026
CVE-2026-42564
CVE-2026-42564
Description
jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/[filename]. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside data/uploads/app-icons/. This vulnerability is fixed in 1.22.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <1.22.0
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.