b4bilal discovered a misconfiguration when handling URI paths. This permitted an adversary to traverse the docroot and access non sensitive resources that are normally unavailable to web users.
@b4bilal — thank you for reporting this vulnerability and for confirming the resolution.