{
  "modified": "2025-08-09T19:01:28Z",
  "published": "2025-06-05T03:15:26Z",
  "id": "CVE-2025-49466",
  "details": "aerc before 93bec0d allows directory traversal in commands/msgview/open.go because of direct path concatenation of the name of an attachment part,",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.sr.ht/~rjarry/aerc/commit/2bbe75fe0bc87ab4c1e16c5a18c6200224391629"
    },
    {
      "type": "WEB",
      "url": "https://git.sr.ht/~rjarry/aerc/commit/93bec0de8ed5ab3d6b1f01026fe2ef20fa154329"
    }
  ]
}