CVE-2018-25181

HighPublic PoC

Published: 06 March 2026

Published

06 March 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0110 78.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-25181 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 21.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates the parent parameter in the getAlbum endpoint to reject directory traversal sequences like ../, preventing unauthorized access to arbitrary system directories.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations to restrict the getAlbum endpoint to only intended directories, blocking path traversal beyond the application's scope.

SC-7 Boundary Protection partial match

prevent

Implements boundary protection at external interfaces, such as web application firewalls, to inspect and block requests with path traversal payloads targeting the unauthenticated endpoint.

NVD Description

Musicco 2.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary directories by manipulating the parent parameter. Attackers can supply directory traversal sequences in the parent parameter of the getAlbum endpoint to access sensitive system directories and…

download them as ZIP files.

Deeper analysisAI

CVE-2018-25181 is a path traversal vulnerability (CWE-22) affecting Musicco version 2.0.0. The flaw resides in the getAlbum endpoint, where the parent parameter can be manipulated with directory traversal sequences, such as ../, enabling unauthenticated attackers to access and download arbitrary system directories as ZIP files. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity. By supplying crafted traversal payloads in the parent parameter, they can traverse outside the intended directory structure to reach sensitive system locations, resulting in the unauthorized download of their contents as ZIP archives. This grants attackers broad read access to potentially critical files, configurations, or data without impacting integrity or availability.

Advisories and references, including an exploit on Exploit-DB (https://www.exploit-db.com/exploits/45830) and a VulnCheck advisory (https://www.vulncheck.com/advisories/musicco-arbitrary-directory-download-via-path-traversal), document the issue but do not specify patches or mitigations in the provided details. Security practitioners should review these sources for any updates on remediation, such as input validation on the parent parameter or endpoint restrictions.

A proof-of-concept exploit is publicly available on Exploit-DB, highlighting the vulnerability's exploitability in Musicco 2.0.0 deployments. The CVE was published on 2026-03-06.

Details

CWE(s): CWE-22

CVEs Like This One

CVE-2026-23536Shared CWE-22

CVE-2025-23422Shared CWE-22

CVE-2024-48885Shared CWE-22

CVE-2024-12849Shared CWE-22

CVE-2026-33656Shared CWE-22

CVE-2025-8343Shared CWE-22

CVE-2025-59384Shared CWE-22

CVE-2026-3051Shared CWE-22

CVE-2025-15031Shared CWE-22

CVE-2025-12062Shared CWE-22

References

https://www.exploit-db.com/exploits/45830
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/musicco-arbitrary-directory-download-via-path-traversal
disclosure@vulncheck.com