Wiki.js Directory Traversal Vulnerability on Windows

Vulnerability

Patched

A directory traversal vulnerability allowing access to files outside of the Wiki.js context has been identified in Wiki.js versions prior to 2.5.254. This issue occurs on Windows hosts when a storage module with local asset cache fetching, such as Local File System or Git, is enabled. The vulnerability can be exploited by crafting a special URL that takes advantage of directory traversal, potentially allowing a malicious user to read any file on the file system. This exploitation is possible only if no web application firewall, like Cloudflare, intercepts and strips harmful URLs.

Impact

Exploitation of this vulnerability could lead to unauthorized reading of files on the server's file system.

Remediation

Users can upgrade to Wiki.js version 2.5.254 or later, where this vulnerability has been patched. As an alternative, storage modules with local asset caching capabilities, such as Local File System or Git, can be disabled.

Added: Mar 11, 2026, 7:14 PM

Updated: Mar 11, 2026, 7:14 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.5

exploitability

7.7

remediation

8.3

relevance

0.0

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

Wiki.js Directory Traversal Vulnerability on Windows

Vulnerability

Impact

Remediation

Affected Products

Requarks Wiki.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating