CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-59149

mediumCVSS 6.5covered by 1 sourcefirst seen 2026-07-09
Mockoon provides way to design and run mock APIs. Prior to 9.7.0, a FILE response whose filePath embeds request data is confined by getSafeFilePath in packages/commons-server/src/libs/server/server.ts with resolvedPath.startsWith(staticBaseDir). That prefix test has no path-separator boundary, so a ../-escaped path whose absolute form string-prefixes the base directory passes, allowing an unauthenticated client to read files from sibling paths outside the served directory through HTTP sendFile, WebSocket, or callbacks. This issue is fixed in version 9.7.0.

⚡ Watch CVE-2026-59149

Get an email if CVE-2026-59149 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-59149

CVE.org record

Embed the live status

CVE-2026-59149 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-59149 status](https://www.csirts.com/badge/CVE-2026-59149)](https://www.csirts.com/cve/CVE-2026-59149)