1. GameMod::load() Path Traversal: Malicious Mod Can Read Arbitrary Files on Host System
A critical directory traversal vulnerability has been identified in parish-core's mod loading system. The `GameMod::load()` function in `crates/parish-core/src/game_mod.rs` (lines 471–548) validates the base mod directory via canonicalization at line 459, but subsequently joins manifest-provided relative paths without ...