CVE-2026-25575
Published: 04 February 2026
Summary
CVE-2026-25575 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Tum Navigatum. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25575 is a path traversal vulnerability affecting NavigaTUM, an open-source website and API used for searching rooms, buildings, and other places at the Technical University of Munich. The flaw exists in the propose_edits endpoint prior to commit 86f34c7, where unsanitized file keys in JSON payloads allow attackers to include traversal sequences such as ../../, enabling escape from the intended temporary directory. This issue is classified under CWEs-23 (Relative Path Traversal), CWE-26 (Relative Path Traversal), and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact potential over the network without authentication.
Unauthenticated remote attackers can exploit this vulnerability by sending crafted JSON payloads to the propose_edits endpoint, overwriting arbitrary files in directories writable by the application user, such as /cdn. Successful exploitation allows replacement of public-facing images or exhaustion of server storage by filling writable directories, potentially disrupting service availability or enabling defacement through altered content.
The vulnerability has been patched in commit 86f34c7, as detailed in the GitHub commit (https://github.com/TUM-Dev/NavigaTUM/commit/86f34c72886a59ec8f1e6c00f78a5ab889a70fd0), pull request #2650 (https://github.com/TUM-Dev/NavigaTUM/pull/2650), and security advisory GHSA-59hj-f48w-hjfm (https://github.com/TUM-Dev/NavigaTUM/security/advisories/GHSA-59hj-f48w-hjfm). Security practitioners should ensure deployments are updated to or beyond this commit to mitigate the issue.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5325
Vulnerability details
NavigaTUM is a website and API to search for rooms, buildings and other places. Prior to commit 86f34c7, there is a path traversal vulnerability in the propose_edits endpoint allows unauthenticated users to overwrite files in directories writable by the application…
more
user (e.g., /cdn). By supplying unsanitized file keys containing traversal sequences (e.g., ../../) in the JSON payload, an attacker can escape the intended temporary directory and replace public facing images or fill the server's storage. This issue has been patched via commit 86f34c7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in unauthenticated public-facing propose_edits endpoint enables T1190; resulting overwrite of public images directly facilitates T1491.002 external defacement.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents path traversal attacks by requiring validation of unsanitized file keys in JSON payloads to block traversal sequences like ../../.
Ensures timely remediation of the specific path traversal flaw through patching, as implemented in commit 86f34c7.
Detects unauthorized file overwrites or modifications in writable directories like /cdn by verifying software, firmware, and information integrity.