Cyber Resilience

CVE-2019-25579

HighPublic PoC

Published: 21 March 2026

Published
21 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0109 61.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25579 is a high-severity Path Traversal (CWE-22) vulnerability in Codnloc Phptransformer. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 38.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-25579 is a directory traversal vulnerability (CWE-22) affecting phpTransformer version 2016.9. The issue exists in the jQueryFileUploadmaster server endpoint, where the path parameter can be manipulated using traversal sequences such as ../../../../../../, enabling unauthenticated attackers to list and retrieve arbitrary files outside the intended directory.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges or user interaction, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Successful exploitation grants read access to sensitive files, leading to high confidentiality impact without affecting integrity or availability.

References include an exploit proof-of-concept on Exploit-DB (https://www.exploit-db.com/exploits/46192), a Vulncheck advisory detailing the directory traversal via jQueryFileUpload (https://www.vulncheck.com/advisories/phptransformer-directory-traversal-via-jqueryfileupload), the phpTransformer website (http://phptransformer.com/), and a download link for the affected release (https://netcologne.dl.sourceforge.net/project/phptransformer/Version%202016.9/release_2016.9.zip). No patches or specific mitigations are described in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

phpTransformer 2016.9 contains a directory traversal vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the path parameter. Attackers can send requests to the jQueryFileUploadmaster server endpoint with traversal sequences ../../../../../../ to list and retrieve files outside the…

more

intended directory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Directory traversal enables remote file/directory enumeration (T1083) and arbitrary file read from the local system (T1005) via unauthenticated exploitation of a public-facing web application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25578Same product: Codnloc Phptransformer
CVE-2025-60946Shared CWE-22
CVE-2025-52452Shared CWE-22
CVE-2026-30914Shared CWE-22
CVE-2024-57669Shared CWE-22
CVE-2026-25869Shared CWE-22
CVE-2025-2264Shared CWE-22
CVE-2024-57451Shared CWE-22
CVE-2026-49128Shared CWE-22
CVE-2026-40062Shared CWE-22

Affected Assets

codnloc
phptransformer
2016.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of the path parameter in the jQueryFileUploadmaster endpoint to reject directory traversal sequences like '../../../../ ../../', directly preventing unauthorized access to arbitrary files.

prevent

Mandates identification, reporting, and correction of the specific directory traversal flaw in phpTransformer 2016.9, eliminating the vulnerability through patching or code fixes.

prevent

Enforces access control policies on file system resources to restrict reads to intended directories, mitigating the impact of path manipulation attempts.

References