Cyber Resilience

CVE-2026-45225

HighPublic PoC

Published: 12 May 2026

Published
12 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v4 7.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 27.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-45225 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences. Attackers can exploit the unvalidated filename parameter in…

more

the upload_file() handler to bypass path restrictions and write, read, or delete files outside the intended storage directory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Path traversal in authenticated file upload directly enables arbitrary file write/read/delete, facilitating web shell deployment (T1100/T1505.003) and file deletion for defense evasion (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-14520Shared CWE-22
CVE-2025-24960Shared CWE-22
CVE-2026-32808Shared CWE-22
CVE-2026-41202Shared CWE-22
CVE-2026-41203Shared CWE-22
CVE-2026-33195Shared CWE-22
CVE-2026-34728Shared CWE-22
CVE-2019-25480Shared CWE-22
CVE-2026-7519Shared CWE-22
CVE-2024-13545Shared CWE-22

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References