Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Network-reachable web app (AV:N) but requires admin authentication (PR:H) and precise traversal conditions (AC:H); code execution escaping app context yields S:C and full C/I/A:H.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
ownCloud is a file storage, synchronization, and sharing application. In ownCloud 10 prior to version 10.15.3, an attacker with administrative privileges can exploit a path traversal vulnerability in the system to execute arbitrary code. Upgrade ownCloud 10 to version 10.15.3 or later to receive a patch.
AnalysisAI
Remote code execution in ownCloud 10 (before 10.15.3) lets an authenticated administrator abuse a relative path traversal weakness to write or reference files outside intended directories and execute arbitrary code on the server. The high-privilege requirement (PR:H) and high attack complexity (AC:H) constrain who can trigger it, but successful exploitation yields full compromise with a scope change beyond the application context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV.
Technical ContextAI
ownCloud 10 is a PHP-based self-hosted file storage, synchronization, and sharing platform. The root cause is CWE-23 (Relative Path Traversal): a code path fails to canonicalize or constrain a user/administrator-controlled path component, allowing '../' sequences to escape the intended base directory. Because ownCloud runs under a PHP web application context, traversal into a location that is later included, executed, or interpreted by the runtime converts a file-path issue into arbitrary code execution. The affected component is identified by CPE cpe:2.3:a:owncloud:owncloud_10:*:*:*:*:*:*:*:* (the ownCloud 10 server product line).
RemediationAI
Upgrade ownCloud 10 to version 10.15.3 or later, which contains the vendor patch (Vendor-released patch: 10.15.3); this is the primary and recommended fix per advisory GHSA-4439-4wxm-c9px (https://github.com/owncloud/security-advisories/security/advisories/GHSA-4439-4wxm-c9px). If immediate patching is not possible, reduce exposure by treating the vulnerability as an administrative-privilege attack surface: strictly limit and audit the number of ownCloud administrator accounts, enforce strong authentication and MFA on admin logins, and restrict admin-panel access to trusted management networks or a VPN so that a compromised credential cannot reach the admin interface from the internet - the trade-off is added operational friction for legitimate administrators. Because exploitation writes/executes outside intended paths, also ensure the PHP process runs with least privilege and, where feasible, mount the web root or data directory with restricted execution permissions to limit the blast radius; note this can break plugins or features that expect write/execute access. Reference VulDB entry https://vuldb.com/vuln/376473 for tracking.
More in Owncloud 10
View allServer-Side Request Forgery in the Anti-Virus for ownCloud extension (versions before 1.2.3, shipping with ownCloud 10 p
Server-side request forgery escalating to remote code execution in the SharePoint for ownCloud app (versions prior to 0.
Stored cross-site scripting in the DrawIO for ownCloud app (versions prior to 1.0.2, shipping with ownCloud 10 before 10
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210433