#今天又看了啥 #CTF
由 Hackergame 网盘一题引发的 h5ai 源码审计发现的自带的 API 存在路径穿越任意文件读取问题
算是 0day 了吧（

GitHub h5ai#758: A potential security issue of unauthorized access
https://github.com/lrsjng/h5ai/issues/758
相关WriteUp

以及
GitHub h5ai#760: Unchecked l10n input leads to arbitrary JSON file reads
https://github.com/lrsjng/h5ai/issues/760