CVE-2026-42564

fccview · jotty

The jotty·page application is vulnerable to path traversal and sensitive information exposure, potentially allowing unauthorized access to system files.

Executive summary

An unauthenticated path traversal vulnerability in jotty·page versions prior to 1.22.0 allows unauthorized actors to read sensitive system information.

Vulnerability

The application suffers from Improper Limitation of a Pathname to a Restricted Directory (CWE-22) and Exposure of Sensitive Information (CWE-200). The vulnerability is reachable over the network without authentication or user interaction (AV:N/AC:L/PR:N/UI:N).

Business impact

This vulnerability carries a CVSS score of 8.2, indicating High severity. An attacker can exploit this to bypass directory restrictions and access sensitive configuration files, notes, or checklists stored on the server, resulting in a significant breach of data confidentiality.

Remediation

Immediate Action: Update the jotty application to version 1.22.0 or later as soon as possible.

Proactive Monitoring: Review web server access logs for path traversal patterns, such as sequences like "../" in URI requests, which may indicate attempted exploitation.

Compensating Controls: Use a WAF to filter and block requests containing directory traversal sequences and ensure the application runs with the least privilege necessary to limit the scope of potential file access.

Exploitation status

Public Exploit Available: No (Exploit_available: unknown)

Analyst recommendation

This vulnerability poses a direct risk to the confidentiality of user notes and checklists. Organizations should apply the latest security update immediately to restrict directory access and prevent unauthorized information disclosure.