CVE-2025-6776

Exploit

EPSS 0.62%
Veröffentlicht 27.06.2025 20:15:35
Zuletzt bearbeitet 29.04.2026 01:00:01
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

xiaoyunjie openvpn-cms-flask File Upload controller.py upload path traversal

A vulnerability classified as critical was found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This vulnerability affects the function Upload of the file app/plugins/oss/app/controller.py of the component File Upload. The manipulation of the argument image leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.8 is able to address this issue. The name of the patch is e23559b98c8ea2957f09978c29f4e512ba789eb6. It is recommended to upgrade the affected component.

Betroffene Produkte Warnungen 0 Metriken 5 CWE 1 Referenzen 9

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xiaoyunjie ≫ Openvpn-cms-flask Version < 1.2.8

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.62%	0.448

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cna@vuldb.com	5.5	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com	7.3	3.9	3.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cna@vuldb.com	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/xiaoyunjie/openvpn-cms-flask/commit/e23559b98c8ea2957f09978c29f4e512ba789eb6

Patch

https://github.com/xiaoyunjie/openvpn-cms-flask/releases/tag/v1.2.8

Release Notes

https://github.com/xiaoyunjie/openvpn-cms-flask/issues/23

Vendor Advisory

Exploit

Issue Tracking

https://vuldb.com/?ctiid.314092

VDB Entry

Permissions Required

https://vuldb.com/?id.314092

Third Party Advisory

VDB Entry

https://vuldb.com/?submit.602374

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2025-6776

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-6776

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-6776

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-6776