CVE-2026-48544 is a path traversal vulnerability in Avaiga taipy 4.1.1 affecting the ElementLibrary.get_resource() method in taipy/gui/extension/library.py. The vulnerability stems from an incomplete directory containment check that uses str.startswith() without a trailing path separator, allowing attackers to craft GET requests with path traversal segments that escape the intended module directory. Flask's and Werkzeug's handling of path segments preserves traversal sequences, enabling unauthorized file access outside the library directory. The vulnerability is unauthenticated and has a CVSS 4.0 score of 8.7 (high severity). No patch or official remediation level is currently documented.

An unauthenticated attacker can exploit this vulnerability to access files outside the intended restricted directory, potentially exposing sensitive information or application files. The flaw allows bypassing directory containment checks, which could lead to unauthorized disclosure of files on the server where taipy is deployed. There is no indication of privilege escalation, code execution, or other impacts beyond unauthorized file access. No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability is due to an incomplete path validation, users should monitor Avaiga's official channels for an official fix or update. Until a patch is available, consider restricting access to the affected endpoint or implementing additional access controls to prevent exploitation. Avoid exposing the vulnerable component to untrusted users if possible.