SB2021120403 - Path traversal in Wiki.js
Published: December 4, 2021 Updated: April 28, 2026
Security Bulletin ID
SB2021120403
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Path traversal (CVE-ID: CVE-2021-43800)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to path traversal in asset cache fetching with storage modules implementing local asset cache when handling a specially crafted URL on Windows. A remote user can send a specially crafted URL to disclose sensitive information.
This is only possible on Windows hosts when a storage module implementing local asset cache is enabled, such as Local File System or Git, and no web application firewall strips malicious URLs.
Remediation
Install update from vendor's website.