Cyber Posture

CVE-2019-25579

HighPublic PoC

Published: 21 March 2026

Published
21 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0314 87.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25579 is a high-severity Path Traversal (CWE-22) vulnerability in Codnloc Phptransformer. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 13.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of the path parameter in the jQueryFileUploadmaster endpoint to reject directory traversal sequences like '../../../../ ../../', directly preventing unauthorized access to arbitrary files.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of the specific directory traversal flaw in phpTransformer 2016.9, eliminating the vulnerability through patching or code fixes.

AC-3 Access Enforcement partial match
prevent

Enforces access control policies on file system resources to restrict reads to intended directories, mitigating the impact of path manipulation attempts.

NVD Description

phpTransformer 2016.9 contains a directory traversal vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the path parameter. Attackers can send requests to the jQueryFileUploadmaster server endpoint with traversal sequences ../../../../../../ to list and retrieve files outside the…

more

intended directory.

Deeper analysisAI

CVE-2019-25579 is a directory traversal vulnerability (CWE-22) affecting phpTransformer version 2016.9. The issue exists in the jQueryFileUploadmaster server endpoint, where the path parameter can be manipulated using traversal sequences such as ../../../../../../, enabling unauthenticated attackers to list and retrieve arbitrary files outside the intended directory.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges or user interaction, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Successful exploitation grants read access to sensitive files, leading to high confidentiality impact without affecting integrity or availability.

References include an exploit proof-of-concept on Exploit-DB (https://www.exploit-db.com/exploits/46192), a Vulncheck advisory detailing the directory traversal via jQueryFileUpload (https://www.vulncheck.com/advisories/phptransformer-directory-traversal-via-jqueryfileupload), the phpTransformer website (http://phptransformer.com/), and a download link for the affected release (https://netcologne.dl.sourceforge.net/project/phptransformer/Version%202016.9/release_2016.9.zip). No patches or specific mitigations are described in the available information.

Details

CWE(s)
CWE-22

Affected Products

codnloc
phptransformer
2016.9

CVEs Like This One

CVE-2019-25578Same product: Codnloc Phptransformer
CVE-2026-23536Shared CWE-22
CVE-2025-23422Shared CWE-22
CVE-2024-48885Shared CWE-22
CVE-2024-12849Shared CWE-22
CVE-2026-33656Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2025-59384Shared CWE-22
CVE-2026-3051Shared CWE-22
CVE-2025-15031Shared CWE-22

References