2 matches found
CVE-2026-59149
Mockoon before version 9.7.0 is affected by a path-traversal in the templated filePath. The vulnerability arises because getSafeFilePath checks resolvedPath.startsWith(staticBaseDir) without a path-separator boundary, allowing an unauthenticated client to craft a ../-escaped path that prefixes th...
CVE-2026-59149 Mockoon: Path traversal in templated `filePath` lets a request escape the served directory (prefix-only base check)
Mockoon provides way to design and run mock APIs. Prior to 9.7.0, a FILE response whose filePath embeds request data is confined by getSafeFilePath in packages/commons-server/src/libs/server/server.ts with resolvedPath.startsWithstaticBaseDir. That prefix test has no path-separator boundary, so a...