{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45225/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.6,"id":"CVE-2026-45225"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Heym","heymrun/heym"],"_cs_severities":["high"],"_cs_tags":["path-traversal","file-upload","CVE-2026-45225"],"_cs_type":"advisory","_cs_vendors":["Heym"],"content_html":"\u003cp\u003eHeym before version 0.0.21 contains a path traversal vulnerability in its file upload endpoint. This flaw allows authenticated users to write malicious files to arbitrary locations on the server. By crafting a filename containing traversal sequences (e.g., ../../), an attacker can bypass intended path restrictions and manipulate files outside of the designated upload directory. This vulnerability affects the \u003ccode\u003eupload_file()\u003c/code\u003e handler due to insufficient validation of the filename parameter. Successful exploitation could lead to arbitrary file write, read, or even deletion, potentially compromising the entire system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Heym application.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious filename containing path traversal sequences (e.g., \u003ccode\u003e../../../evil.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker initiates a file upload request to the \u003ccode\u003eupload_file()\u003c/code\u003e endpoint, including the crafted filename.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eupload_file()\u003c/code\u003e handler receives the request but fails to properly sanitize the filename.\u003c/li\u003e\n\u003cli\u003eThe application writes the uploaded file to a location outside the intended directory, based on the path provided in the crafted filename.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers execution of the uploaded file (e.g. if it\u0026rsquo;s a PHP file).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write, read, or delete files outside the intended storage directory. This can lead to arbitrary code execution, allowing the attacker to gain complete control over the affected system. The CVSS v3.1 base score for this vulnerability is 7.6 (High), indicating a significant risk. The potential impact includes unauthorized access to sensitive data, modification of critical system files, and complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Heym to version 0.0.21 or later to patch CVE-2026-45225.\u003c/li\u003e\n\u003cli\u003eImplement robust filename validation and sanitization within the \u003ccode\u003eupload_file()\u003c/code\u003e handler to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Heym Path Traversal File Upload (CVE-2026-45225)\u003c/code\u003e to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests to the file upload endpoint containing suspicious filename patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T22:22:11Z","date_published":"2026-05-12T22:22:11Z","id":"https://feed.craftedsignal.io/briefs/2026-05-heym-path-traversal/","summary":"Heym before 0.0.21 is vulnerable to path traversal, allowing authenticated users to write attacker-controlled files to arbitrary locations by exploiting the unvalidated filename parameter in the upload_file() handler (CVE-2026-45225).","title":"Heym Path Traversal Vulnerability in File Upload Endpoint (CVE-2026-45225)","url":"https://feed.craftedsignal.io/briefs/2026-05-heym-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-45225","version":"https://jsonfeed.org/version/1.1"}