elfinder.netcore is vulnerable to path traversal. Lack of sanitization of user-provided data to the Path.Combine(…) method allows attacker to input malicious characters to access files and directories outside the destination folder.
github.com/gordon-matt/elFinder.NetCore
github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs#L387
github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs%23L387