CVE-2025-54790

Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/humhub/cfiles/pull/252	Issue Tracking
https://github.com/humhub/cfiles/releases/tag/v0.16.10	Release Notes
https://github.com/humhub/cfiles/security/advisories/GHSA-rfvq-g9rm-pgqj	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:humhub:files:*:*:*:*:*:*:*:*

History

12 Sep 2025, 16:32

Type	Values Removed	Values Added
References	~~() https://github.com/humhub/cfiles/pull/252 -~~	() https://github.com/humhub/cfiles/pull/252 - Issue Tracking
References	~~() https://github.com/humhub/cfiles/releases/tag/v0.16.10 -~~	() https://github.com/humhub/cfiles/releases/tag/v0.16.10 - Release Notes
References	~~() https://github.com/humhub/cfiles/security/advisories/GHSA-rfvq-g9rm-pgqj -~~	() https://github.com/humhub/cfiles/security/advisories/GHSA-rfvq-g9rm-pgqj - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
First Time		Humhub Humhub files
CPE		cpe:2.3:a:humhub:files::::::::

04 Aug 2025, 15:06

Type	Values Removed	Values Added
Summary		(es) Files es un módulo para gestionar archivos dentro de espacios y perfiles de usuario. En las versiones 0.16.9 y anteriores, Files no cuenta con lógica para evitar la explotación de consultas SQL de backend sin salida directa, lo que podría permitir el acceso no autorizado a los datos. Esto se solucionó en la versión 0.16.10.

02 Aug 2025, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-02 00:15

Updated : 2025-09-12 16:32

NVD link : CVE-2025-54790

Mitre link : CVE-2025-54790

CVE.ORG link : CVE-2025-54790

JSON object : View

Products Affected

humhub

files

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-54790", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-02T00:15:26.360", "references": [{"url": "https://github.com/humhub/cfiles/pull/252", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/humhub/cfiles/releases/tag/v0.16.10", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/humhub/cfiles/security/advisories/GHSA-rfvq-g9rm-pgqj", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10."}, {"lang": "es", "value": "Files es un m\u00f3dulo para gestionar archivos dentro de espacios y perfiles de usuario. En las versiones 0.16.9 y anteriores, Files no cuenta con l\u00f3gica para evitar la explotaci\u00f3n de consultas SQL de backend sin salida directa, lo que podr\u00eda permitir el acceso no autorizado a los datos. Esto se solucion\u00f3 en la versi\u00f3n 0.16.10."}], "lastModified": "2025-09-12T16:32:36.493", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:humhub:files:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "938AE4B4-2EC3-4822-ABBC-8763DD485B2E", "versionEndExcluding": "0.16.10"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}