Relative Path Traversal
EverShop web application in versions prior to 1.0.0-rc.8 is missing input validation in the function 'unlinkSync' in 'deleteFile.js', leading to a Relative Path Traversal vulnerability that enables arbitrary file deletion. This vulnerability extends beyond path traversal since the endpoint "/api/files" allows "DELETE" requests which then allow for file deletion across the filesystem.
CWE-23 - Relative Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.