Skip to main content

CVE-2025-49879

| EUVDEUVD-2025-19221 HIGH
Path Traversal (CWE-22)
2025-06-17 audit@patchstack.com
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-19221
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
CVE Published
Jun 17, 2025 - 15:15 nvd
HIGH 8.6

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in themezaa Litho allows Path Traversal. This issue affects Litho: from n/a through 3.0.

AnalysisAI

Path traversal vulnerability in themezaa Litho that allows unauthenticated network attackers to cause a denial of service by accessing files outside the intended directory structure. Affected versions range from an unspecified baseline through version 3.0 of the Litho product. The vulnerability has a high CVSS score of 8.6 with a network attack vector and no authentication requirements, making it easily exploitable by remote attackers.

Technical ContextAI

The vulnerability stems from improper input validation in pathname handling (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). Litho, a theming or template engine developed by themezaa, fails to adequately sanitize user-supplied input when constructing file paths, allowing directory traversal sequences (such as '../' or absolute paths) to escape the intended restricted directory. This path traversal enables attackers to read, access, or interact with arbitrary files on the system that the Litho application has permissions to access. The attack surface is web-exposed due to the Network attack vector (AV:N) classification, suggesting this is a web application or service component vulnerable via HTTP/HTTPS requests.

Share

CVE-2025-49879 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy