Primary

Context

Jotty.page Unauthenticated Path Traversal Vulnerability Allowing Sensitive File Disclosure

Vulnerability

A path traversal vulnerability has been identified in jotty.page versions prior to 1.22.0. This vulnerability allows unauthenticated users to read files outside the intended directory by exploiting the filename parameter in the app-icons API endpoint. The lack of proper validation enables encoded traversal sequences to escape the designated directory, leading to unauthorized access to sensitive files, including user records, password hashes, and active session tokens.

Impact

Exploitation of this vulnerability allows for unrestricted file reading, with unauthenticated access to user records, password hashes, and active session-token mappings.

Remediation

Users can upgrade to jotty.page version 1.22.0 to address this vulnerability.

Added: May 11, 2026, 10:43 PM

Updated: May 11, 2026, 10:43 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

8.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

8.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jotty.page Unauthenticated Path Traversal Vulnerability Allowing Sensitive File Disclosure

Vulnerability

Impact

Remediation

Affected Products

jotty.page

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating