| Title | Sanster IOPaint 1.5.3 Path Traversal - Arbitrary File Read |
|---|
| Description | The File Manager component in IOPaint contains a path traversal vulnerability in the _get_file() method. The filename parameter received from user HTTP query strings is directly concatenated with a base directory path using Python's Path / operator without any sanitization or validation. This allows an attacker to use ../ sequences to escape the intended directory and read arbitrary files on the server. |
|---|
| Source | ⚠️ https://github.com/August829/CVEP/issues/11 |
|---|
| User | Yu_Bao (UID 89348) |
|---|
| Submission | 03/16/2026 06:56 (22 days ago) |
|---|
| Moderation | 03/31/2026 18:20 (15 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 354448 [Sanster IOPaint 1.5.3 File Manager file_manager.py _get_file filename path traversal] |
|---|
| Points | 20 |
|---|