CVE-2026-25575

NavigaTUM is a website and API to search for rooms, buildings and other places. Prior to commit 86f34c7, there is a path traversal vulnerability in the propose_edits endpoint allows unauthenticated users to overwrite files in directories writable by the application user (e.g., /cdn). By supplying unsanitized file keys containing traversal sequences (e.g., ../../) in the JSON payload, an attacker can escape the intended temporary directory and replace public facing images or fill the server's storage. This issue has been patched via commit 86f34c7.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/TUM-Dev/NavigaTUM/commit/86f34c72886a59ec8f1e6c00f78a5ab889a70fd0	Patch
https://github.com/TUM-Dev/NavigaTUM/pull/2650	Exploit Issue Tracking Patch
https://github.com/TUM-Dev/NavigaTUM/security/advisories/GHSA-59hj-f48w-hjfm	Exploit Vendor Advisory
https://github.com/TUM-Dev/NavigaTUM/security/advisories/GHSA-59hj-f48w-hjfm	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tum:navigatum:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:24

Type	Values Removed	Values Added
Summary		(es) NavigaTUM es un sitio web y una API para buscar salas, edificios y otros lugares. Antes del commit 86f34c7, existe una vulnerabilidad de salto de ruta en el endpoint propose_edits que permite a usuarios no autenticados sobrescribir archivos en directorios con permisos de escritura para el usuario de la aplicación (por ejemplo, /cdn). Al proporcionar claves de archivo no saneadas que contienen secuencias de salto (por ejemplo, ../../) en la carga útil JSON, un atacante puede escapar del directorio temporal previsto y reemplazar imágenes de cara al público o llenar el almacenamiento del servidor. Este problema ha sido parcheado mediante el commit 86f34c7.

11 Feb 2026, 19:10

Type	Values Removed	Values Added
CPE		cpe:2.3:a:tum:navigatum::::::::
CWE		CWE-22
First Time		Tum navigatum Tum
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/TUM-Dev/NavigaTUM/commit/86f34c72886a59ec8f1e6c00f78a5ab889a70fd0 -~~	() https://github.com/TUM-Dev/NavigaTUM/commit/86f34c72886a59ec8f1e6c00f78a5ab889a70fd0 - Patch
References	~~() https://github.com/TUM-Dev/NavigaTUM/pull/2650 -~~	() https://github.com/TUM-Dev/NavigaTUM/pull/2650 - Exploit, Issue Tracking, Patch
References	~~() https://github.com/TUM-Dev/NavigaTUM/security/advisories/GHSA-59hj-f48w-hjfm -~~	() https://github.com/TUM-Dev/NavigaTUM/security/advisories/GHSA-59hj-f48w-hjfm - Exploit, Vendor Advisory

05 Feb 2026, 18:16

Type	Values Removed	Values Added
References	~~() https://github.com/TUM-Dev/NavigaTUM/security/advisories/GHSA-59hj-f48w-hjfm -~~	() https://github.com/TUM-Dev/NavigaTUM/security/advisories/GHSA-59hj-f48w-hjfm -

04 Feb 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-04 22:16

Updated : 2026-06-17 10:24

NVD link : CVE-2026-25575

Mitre link : CVE-2026-25575

CVE.ORG link : CVE-2026-25575

JSON object : View

Products Affected

tum

navigatum

CWE

CWE-23

Relative Path Traversal

CWE-26

Path Traversal: '/dir/../filename'

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

7.5 /10