9.8
CVE-2025-64712
- EPSS 0.62%
- Veröffentlicht 04.02.2026 17:34:51
- Zuletzt bearbeitet 27.02.2026 20:30:48
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginUnstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write
The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. This issue has been patched in version 0.18.18.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Unstructured ≫ Unstructured SwPlatformpython Version < 0.18.18
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.62% | 0.448 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-73 External Control of File Name or Path
The product allows user input to control or influence paths or file names that are used in filesystem operations.
https://github.com/Unstructured-IO/unstructured/security/advisories/GHSA-gm8q-m8mv-jj5m
https://github.com/Unstructured-IO/unstructured/commit/b01d35b2373fd087d2e15162b9c021663c97155d