What the vulnerability does
01Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in tstafford include-file include-file allows Path Traversal.This issue affects include-file: from n/a through <= 1.
Explanation of Vulnerability in Simple Terms
02Summary
The include-file component contains a path traversal vulnerability that allows authenticated users to read arbitrary files from the server. An attacker with low-level access can bypass directory restrictions and access sensitive files outside the intended scope. No user interaction is required. This affects all versions up to and including 1.0.
What an attacker can do
03Attacker Capabilities
Read arbitrary files from the server filesystem.
Potential impact on your site
04Site Impact
Sensitive files (config, database credentials, private keys) may be exposed to authenticated users.
Conditions required to exploit
05Prerequisites
Attacker must have low-level authenticated access to the application.
Key dates
06Disclosure timeline
April 3, 2025
CVE published
April 28, 2026
Record updated