Affected versions of this package are vulnerable to Path Traversal due to missing validation of the filename parameter in a multipart POST request sent to the v1/files endpoint. As a result, arbitrary files can be written to the server by providing a filename containing a "../" payload. An attacker can create a webpage once visited by the victim can send a cross-origin multipart POST request and trigger the vulnerability. This can lead to Remote Code Execution (RCE) on the server.