CVE-2026-45225

Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences. Attackers can exploit the unvalidated filename parameter in the upload_file() handler to bypass path restrictions and write, read, or delete files outside the intended storage directory.
Configurations

No configuration.

History

14 May 2026, 20:17

Type Values Removed Values Added
References () https://github.com/heymrun/heym/pull/92 - () https://github.com/heymrun/heym/pull/92 -

12 May 2026, 22:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-05-12 22:16

Updated : 2026-07-14 21:16


NVD link : CVE-2026-45225

Mitre link : CVE-2026-45225

CVE.ORG link : CVE-2026-45225


JSON object : View

Products Affected

No product.

CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')