Vendor
An authenticated path traversal vulnerability (GHSA-62gx-5q78-wrvx) in the Obsidian Local REST API's `/vault/{path}` endpoints allows an attacker to bypass path normalization checks using URL-encoded `%2F` sequences, enabling arbitrary file read, write, and delete operations outside the intended vault directory with the privileges of the Obsidian process.