Skip to main content

ownCloud CVE-2025-53829

| EUVDEUVD-2025-210433 HIGH
Relative Path Traversal (CWE-23)
2026-07-06 GitHub_M
8.0
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.0 HIGH
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.0 HIGH

Network-reachable web app (AV:N) but requires admin authentication (PR:H) and precise traversal conditions (AC:H); code execution escaping app context yields S:C and full C/I/A:H.

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 17:01 EUVD
Analysis Generated
Jul 06, 2026 - 16:39 vuln.today

DescriptionCVE.org

ownCloud is a file storage, synchronization, and sharing application. In ownCloud 10 prior to version 10.15.3, an attacker with administrative privileges can exploit a path traversal vulnerability in the system to execute arbitrary code. Upgrade ownCloud 10 to version 10.15.3 or later to receive a patch.

AnalysisAI

Remote code execution in ownCloud 10 (before 10.15.3) lets an authenticated administrator abuse a relative path traversal weakness to write or reference files outside intended directories and execute arbitrary code on the server. The high-privilege requirement (PR:H) and high attack complexity (AC:H) constrain who can trigger it, but successful exploitation yields full compromise with a scope change beyond the application context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV.

Technical ContextAI

ownCloud 10 is a PHP-based self-hosted file storage, synchronization, and sharing platform. The root cause is CWE-23 (Relative Path Traversal): a code path fails to canonicalize or constrain a user/administrator-controlled path component, allowing '../' sequences to escape the intended base directory. Because ownCloud runs under a PHP web application context, traversal into a location that is later included, executed, or interpreted by the runtime converts a file-path issue into arbitrary code execution. The affected component is identified by CPE cpe:2.3:a:owncloud:owncloud_10:*:*:*:*:*:*:*:* (the ownCloud 10 server product line).

RemediationAI

Upgrade ownCloud 10 to version 10.15.3 or later, which contains the vendor patch (Vendor-released patch: 10.15.3); this is the primary and recommended fix per advisory GHSA-4439-4wxm-c9px (https://github.com/owncloud/security-advisories/security/advisories/GHSA-4439-4wxm-c9px). If immediate patching is not possible, reduce exposure by treating the vulnerability as an administrative-privilege attack surface: strictly limit and audit the number of ownCloud administrator accounts, enforce strong authentication and MFA on admin logins, and restrict admin-panel access to trusted management networks or a VPN so that a compromised credential cannot reach the admin interface from the internet - the trade-off is added operational friction for legitimate administrators. Because exploitation writes/executes outside intended paths, also ensure the PHP process runs with least privilege and, where feasible, mount the web root or data directory with restricted execution permissions to limit the blast radius; note this can break plugins or features that expect write/execute access. Reference VulDB entry https://vuldb.com/vuln/376473 for tracking.

Share

CVE-2025-53829 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy