b4bilal discovered a misconfiguration when handling URI paths. This permitted an adversary to traverse the docroot and access non sensitive resources that are normally unavailable to web users. @b4bilal — thank you for reporting this vulnerability and for confirming the resolution.