CVE-2025-41368

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-41368
Problem in the Small HTTP Server v3.06.36 service. An authenticated path traversal vulnerability in '/' allows remote users to bypass the intended restrictions of SecurityManager and display any file if they have the appropriate permissions outside the document root configured on the server.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-small-http-server-smallsrv Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:smallsrv:small_http_server:*:*:*:*:*:*:*:*
History

26 Mar 2026, 21:07

Type Values Removed Values Added
References () https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-small-http-server-smallsrvĀ - () https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-small-http-server-smallsrvĀ - Third Party Advisory
First Time Smallsrv
Smallsrv small Http Server
CPE cpe:2.3:a:smallsrv:small_http_server:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.1

26 Mar 2026, 13:16

Type Values Removed Values Added
Summary (en) Vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher priority directory, causing the service to execute the malicious file instead of the legitimate one. Exploiting this flaw could allow arbitrary code execution, unauthorized access to the system, or service disruption. To mitigate the risk, the service path must be properly quoted, and systems must be kept up to date with security patches, while restricting physical and network access. (en) Problem in the Small HTTP Server v3.06.36 service. An authenticated path traversal vulnerability in '/' allows remote users to bypass the intended restrictions of SecurityManager and display any file if they have the appropriate permissions outside the document root configured on the server.
CWE CWE-428 CWE-22

26 Mar 2026, 12:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-26 12:16

Updated : 2026-03-26 21:07

NVD link : CVE-2025-41368

Mitre link : CVE-2025-41368

CVE.ORG link : CVE-2025-41368

JSON object : View

Products Affected

smallsrv

  • small_http_server
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')