- Fixes authenticated path traversal vulnerability in /vault/{path} endpoints
(GET, PUT, POST, PATCH, DELETE, MOVE). A percent-encoded slash (%2F) in the
path could escape the vault root and allow arbitrary host file read, write,
or delete with the privileges of the Obsidian process. (GHSA-62gx-5q78-wrvx;
Thanks @AgenticWizard for the responsible disclosure!)
Contributors
AgenticWizard