CVE-2026-54563 Cloudreve: Path Traversal / Broken Access Control in Cloudreve WebDAV (`/dav`) — scoped DAV credential escapes its configured account root
Cloudreve is a self-hosted file management and sharing system. Prior to 4.16.1, a Cloudreve WebDAV account rooted at a configured folder can send paths such as /dav/%2e%2e/outside.txt because stripPrefix in pkg/webdav/webdav.go joins the decoded request suffix to the account root with...