From 48015a9b1b9dddc00511a72dfe844da27486ea67 Mon Sep 17 00:00:00 2001
From: Matthias <xmatthias@outlook.com>
Date: Tue, 24 Feb 2026 21:52:37 +0100
Subject: [PATCH] fix: path traversal in web_ui

---
 freqtrade/rpc/api_server/web_ui.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/freqtrade/rpc/api_server/web_ui.py b/freqtrade/rpc/api_server/web_ui.py
index 8d143c57d..5d26429b3 100644
--- a/freqtrade/rpc/api_server/web_ui.py
+++ b/freqtrade/rpc/api_server/web_ui.py
@@ -37,8 +37,8 @@ async def index_html(rest_of_path: str):
     """
     if rest_of_path.startswith("api") or rest_of_path.startswith("."):
         raise HTTPException(status_code=404, detail="Not Found")
-    uibase = Path(__file__).parent / "ui/installed/"
-    filename = uibase / rest_of_path
+    uibase = (Path(__file__).parent / "ui/installed/").resolve()
+    filename = (uibase / rest_of_path).resolve()
     # It's security relevant to check "relative_to".
     # Without this, Directory-traversal is possible.
     media_type: str | None = None