Cyber Resilience

CVE-2026-25575

HighPublic PoC

Published: 04 February 2026

Published
04 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 35.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25575 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Tum Navigatum. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25575 is a path traversal vulnerability affecting NavigaTUM, an open-source website and API used for searching rooms, buildings, and other places at the Technical University of Munich. The flaw exists in the propose_edits endpoint prior to commit 86f34c7, where unsanitized file keys in JSON payloads allow attackers to include traversal sequences such as ../../, enabling escape from the intended temporary directory. This issue is classified under CWEs-23 (Relative Path Traversal), CWE-26 (Relative Path Traversal), and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact potential over the network without authentication.

Unauthenticated remote attackers can exploit this vulnerability by sending crafted JSON payloads to the propose_edits endpoint, overwriting arbitrary files in directories writable by the application user, such as /cdn. Successful exploitation allows replacement of public-facing images or exhaustion of server storage by filling writable directories, potentially disrupting service availability or enabling defacement through altered content.

The vulnerability has been patched in commit 86f34c7, as detailed in the GitHub commit (https://github.com/TUM-Dev/NavigaTUM/commit/86f34c72886a59ec8f1e6c00f78a5ab889a70fd0), pull request #2650 (https://github.com/TUM-Dev/NavigaTUM/pull/2650), and security advisory GHSA-59hj-f48w-hjfm (https://github.com/TUM-Dev/NavigaTUM/security/advisories/GHSA-59hj-f48w-hjfm). Security practitioners should ensure deployments are updated to or beyond this commit to mitigate the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

NavigaTUM is a website and API to search for rooms, buildings and other places. Prior to commit 86f34c7, there is a path traversal vulnerability in the propose_edits endpoint allows unauthenticated users to overwrite files in directories writable by the application…

more

user (e.g., /cdn). By supplying unsanitized file keys containing traversal sequences (e.g., ../../) in the JSON payload, an attacker can escape the intended temporary directory and replace public facing images or fill the server's storage. This issue has been patched via commit 86f34c7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1491.002 External Defacement Impact
An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users.
Why these techniques?

Path traversal in unauthenticated public-facing propose_edits endpoint enables T1190; resulting overwrite of public images directly facilitates T1491.002 external defacement.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21659Shared CWE-22, CWE-23
CVE-2025-29789Shared CWE-22, CWE-23
CVE-2025-27410Shared CWE-22, CWE-23
CVE-2026-27625Shared CWE-22, CWE-23
CVE-2026-27202Shared CWE-22, CWE-23
CVE-2021-47751Shared CWE-22
CVE-2026-7404Shared CWE-22, CWE-23
CVE-2025-2505Shared CWE-22
CVE-2026-5841Shared CWE-22
CVE-2026-33242Shared CWE-22

Affected Assets

tum
navigatum
≤ 2026-02-03

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal attacks by requiring validation of unsanitized file keys in JSON payloads to block traversal sequences like ../../.

prevent

Ensures timely remediation of the specific path traversal flaw through patching, as implemented in commit 86f34c7.

detect

Detects unauthorized file overwrites or modifications in writable directories like /cdn by verifying software, firmware, and information integrity.

References