Skip to main content

Destiny Library Manager CVE-2025-45145

| EUVDEUVD-2025-209923 HIGH
Path Traversal (CWE-22)
2026-05-22 mitre GHSA-99w5-3688-qwj6
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable traversal (PR:N/UI:N/AC:L) yielding arbitrary file read, so C:H but no integrity or availability impact (I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jul 05, 2026 - 02:24 vuln.today
CVSS changed
Jul 05, 2026 - 02:22 NVD
7.5 (None) 7.5 (HIGH)
CVE Published
May 22, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Directory traversal in Follett Software's Destiny Library Manager 22_0_2_rc1 and fixed in v.22.5 AU1 allows remote attackers to read arbitrary system and application files via the image parameter

AnalysisAI

Arbitrary file disclosure in Follett Software's Destiny Library Manager (version 22_0_2_rc1) lets remote unauthenticated attackers read system and application files by supplying directory-traversal sequences in the 'image' parameter. Publicly available exploit code exists (a Medium write-up documenting the unauthenticated LFI), and CISA's SSVC framework classifies exploitation as proof-of-concept and automatable, though EPSS remains modest at 0.46% (64th percentile). The flaw is fixed in v.22.5 AU1.

Technical ContextAI

Destiny Library Manager is Follett's web-based library circulation and cataloging platform widely deployed across K-12 schools and districts. The vulnerability is a classic CWE-22 path/directory traversal: an HTTP-exposed 'image' parameter is used to build a filesystem path without properly canonicalizing or restricting it to an intended base directory, so traversal sequences (e.g., '../../') escape the web root and resolve to arbitrary files the application's service account can read. Because the parameter is reachable pre-authentication, this manifests as an unauthenticated local file inclusion/read against the application server. The CPE data provided is a placeholder ('cpe:2.3:a:n/a:n/a:*') and the EUVD affected-version field is 'n/a', so the exact affected build must be taken from the CVE description itself (22_0_2_rc1).

RemediationAI

Upgrade to the patched release - Vendor-released patch: v.22.5 AU1 - which remediates the traversal in the image-handling code; consult Follett (http://follett.com) for the district-specific update path and any intermediate builds. Until patched, restrict exposure by placing Destiny behind a VPN or IP allow-list so the application is not directly internet-reachable, and deploy a WAF or reverse-proxy rule to reject requests whose 'image' parameter contains traversal sequences or encoded variants ('../', '..%2f', '%2e%2e', absolute paths, null bytes); note WAF filtering is a mitigation, not a fix, and can be bypassed by novel encodings. Additionally ensure the Destiny service account runs with least privilege so that even a successful traversal reads as little sensitive data as possible, and monitor web logs for anomalous 'image' parameter values. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-45145 and the public technical write-up at https://medium.com/@jaredutahusa/cve-2025-45145-unauthenticated-local-file-inclusion-in-fsc-destiny-40a3f11b3a4d.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2025-45145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy