Path traversal in Wiki.js - CVE-2020-15236
Published: October 4, 2020 / Updated: April 28, 2026
Vulnerability identifier: #VU128263
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-15236
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Wiki.js
Wiki.js
Software vendor:
Requarks.io
Requarks.io
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to path traversal in asset handling with storage modules implementing local asset cache when processing a specially crafted URL. A remote user can craft a special URL to read arbitrary files on the file system and disclose sensitive information.
Exploitation is only possible when a storage module implementing local asset cache is enabled, such as Local File System or Git, and when malicious URLs are not stripped before reaching the application.
Remediation
Install security update from vendor's website.