Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable API with Author-level auth required (PR:L), no user interaction, deterministic traversal (AC:L); arbitrary file read yields high confidentiality only, no integrity or availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Typemill before 2.24.0 contains a path traversal vulnerability that allows authenticated attackers with Author-level privileges to read arbitrary files outside the content directory by supplying traversal sequences in the path query parameter passed to Storage::getFile() with an empty folder argument. Attackers can bypass traversal-prevention controls in Storage::getFolderPath() to access sensitive files.
AnalysisAI
Arbitrary file read in Typemill before 2.24.0 allows authenticated Author-level users to traverse outside the content directory by injecting traversal sequences in the path query parameter when the folder argument is empty, defeating sanitization in Storage::getFolderPath(). Reported by VulnCheck with a vendor patch shipped in 2.24.0/2.24.2; no public exploit identified at time of analysis, and the CVSS 4.0 base score of 7.1 reflects high confidentiality impact with low-privilege network access.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid Author-level (or higher) Typemill account and network reachability to the Typemill admin/API surface on a vulnerable instance running a version prior to 2.24.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) accurately captures a network-reachable, low-complexity authenticated read primitive with high confidentiality impact and no integrity or availability impact, scoring 7.1. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who obtains or self-registers an Author-level account (for example on a Typemill site with open author signup or via a phished/reused credential) logs in, then issues an authenticated API request to the page-media endpoint with folder= empty and path=../../../../etc/passwd (or path traversal to the site's settings YAML containing API keys and the user database). The server resolves the file outside the content directory and returns its contents, giving the attacker offline-crackable password hashes or secrets to escalate to admin or pivot to other services; no public exploit identified at time of analysis, but the bug class is well understood and trivially reproducible from the description. |
| Remediation | Upgrade to Typemill 2.24.0 or, preferably, 2.24.2 which bundles this fix together with patches for password-reset poisoning, 2FA brute force, and unique-user issues (release notes at https://github.com/typemill/typemill/releases/tag/v2.24.2; fix commit bfbb27001acd5c56ad62166dbefe6a59798cf1c0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Typemill deployments and audit users with Author-level or higher privileges. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Typemill v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the upload function. Rated high sev
Reflected XSS in Typemill's login error page allows unauthenticated attackers to inject malicious scripts by crafting re
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today