baowzh hfly CVE-2025-14521

Q: What is the CVSS score of CVE-2025-14521?

CVE-2025-14521 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

LOW

Path Traversal (CWE-22)

2025-12-11 cna@vuldb.com

PHP Path Traversal Hfly

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:45 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The affected element is an unknown function of the file /admin/index.php/datafile/download. Such manipulation of the argument filename leads to path traversal. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Path traversal vulnerability in baowzh hfly allows authenticated remote attackers to read arbitrary files via manipulation of the filename parameter in the /admin/index.php/datafile/download endpoint. The vulnerability affects versions up to commit 638ff9abe9078bc977c132b37acbe1900b63491c, with publicly available exploit code disclosed and no vendor response to early disclosure notification. CVSS score of 2.1 reflects limited confidentiality impact but the low EPSS (0.15%) suggests minimal real-world exploitation despite public disclosure.

Technical ContextAI

baowzh hfly is a PHP-based travel website content management system that implements a rolling release model without discrete version numbers. The vulnerability exists in the file download functionality at /admin/index.php/datafile/download, where insufficient input validation on the filename parameter allows attackers to construct path traversal sequences (likely using ../ notation or similar techniques). CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) indicates the application fails to validate that user-supplied file paths remain within intended directories, enabling access to sensitive files outside the designated download directory. The root cause is inadequate sanitization of the filename argument before file operations.

RemediationAI

No vendor-released patch with a specific version number is available due to the rolling release model and vendor non-response to disclosure. Immediate remediation requires upgrading to the latest development build from the official baowzh hfly repository (post-commit 638ff9abe9078bc977c132b37acbe1900b63491c), verifying that the download handler validates filename parameters against a whitelist of allowed files or sanitizes path traversal sequences (e.g., rejecting ../, absolute paths, or null bytes). As a compensating control pending upstream fix, restrict /admin/index.php/datafile/download endpoint access to trusted internal networks via firewall or reverse proxy rules, and implement strict file access logging to detect exploitation attempts. Additionally, rotate any administrative credentials if they are default or widely known, as exploitation requires PR:L (low privileges) and may leverage weak admin accounts. Organizations should monitor the project's repository for updates and test them in staging environments before production deployment, given the vendor's apparent lack of formal security response processes.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-14521 vulnerability details – vuln.today

Back

baowzh hfly CVE-2025-14521

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code