CVE-2026-48544 affects Taipy 4.1.1, a path traversal vulnerability in the ElementLibrary.get_resource() method that allows unauthenticated attackers to escape the intended module directory. The vulnerability exploits an incomplete path containment check using str.startswith() without a trailing path separator. Attackers can send crafted GET requests with path traversal segments to bypass directory containment checks. The flaw exists because Flask's path converter and Werkzeug's WSGI layer preserve traversal segments while the resolved path satisfies the flawed startswith comparison. This enables unauthorized file access outside the intended library directory. The issue was fixed in commit 129fd40.