csm is a csm-aut open source automation and orchestration framework for IOS-XR devices. csm 3.5 and earlier versions have a path traversal vulnerability that stems from a failure of Flaskβs send_file function to properly filter special elements in a resource or file path, which can be exploited by an attacker to access arbitrary files and directories stored on the file system.