What is the CVSS score of EUVD-2025-19049?

EUVD-2025-19049 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 4.0%.

Which versions of Novel Plus are affected by EUVD-2025-19049?

A critical remote code execution vulnerability (CVE-2025-45890) affects Novel Plus installations below version 5.1.0, allowing attackers to execute arbitrary code without authentication.

Is there a public PoC exploit available for EUVD-2025-19049?

Yes, a public proof-of-concept exploit is available for EUVD-2025-19049. Prioritise patching immediately. EPSS: 4.0%.

How to fix or mitigate EUVD-2025-19049?

Within 24 hours: Inventory all Novel Plus installations and document versions; isolate affected systems from production networks if possible; enable enhanced logging and monitoring for exploitation attempts. Within 7 days: Contact Novel Plus vendor for patch availability and timeline; implement network-level compensating controls (WAF rules, IP restrictions); consider disabling the vulnerable filePath parameter if business-critical. Within 30 days: Apply vendor patch immediately upon release; conduct forensic review of logs for signs of compromise; restore any affected systems from clean backups.

Novel Plus EUVD-2025-19049

| CVE-2025-45890 CRITICAL

Path Traversal (CWE-22)

2025-06-20 cve@mitre.org

RCE Path Traversal Novel Plus

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-19049

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

PoC Detected

Jun 26, 2025 - 14:25 vuln.today

Public exploit code

CVE Published

Jun 20, 2025 - 16:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Directory Traversal vulnerability in novel plus before v.5.1.0 allows a remote attacker to execute arbitrary code via the filePath parameter

AnalysisAI

CVE-2025-45890 is a critical directory traversal vulnerability in Novel Plus before v5.1.0 that allows unauthenticated remote attackers to execute arbitrary code by manipulating the filePath parameter. The vulnerability has a CVSS score of 9.8 (critical severity) with a network-based attack vector requiring no privileges or user interaction. Given the critical CVSS metrics and remote code execution capability, this vulnerability poses an immediate and severe risk to all unpatched Novel Plus installations and warrants emergency patching.

Technical ContextAI

This vulnerability exploits improper input validation in the filePath parameter handling within Novel Plus, a web application framework. The root cause is classified as CWE-22 (Path Traversal), which occurs when user-supplied input is used to construct file paths without adequate sanitization or canonicalization. Attackers can use directory traversal sequences (e.g., '../', '..\', Unicode encoding, or path normalization bypasses) to escape intended directories and access arbitrary files on the system. The ability to traverse to sensitive locations combined with file read/write operations enables arbitrary code execution, likely through overwriting application files, configuration files, or uploading malicious scripts to executable directories. The vulnerability likely affects the file handling subsystem across multiple endpoints that accept filePath as a parameter without proper validation against path traversal attacks.

RemediationAI

Immediate actions: (1) Upgrade all Novel Plus installations to version 5.1.0 or later immediately—this is a critical emergency patch; (2) If immediate upgrade is impossible, implement emergency mitigations: (a) Disable or restrict access to any endpoints accepting filePath parameters using Web Application Firewall (WAF) rules blocking path traversal sequences ('../', '..\', URL encoding variants, Unicode normalization); (b) Implement strict input validation on filePath parameters, rejecting any input containing path traversal characters or sequences; (c) Run Novel Plus with minimal file system permissions, restricting write access to only necessary directories; (d) Enable file integrity monitoring on application directories to detect unauthorized modifications; (3) Verify patch integrity after upgrade; (4) Restart all affected services after patching; (5) Monitor application logs for exploitation attempts using patterns like '../', '..%2f', or other path traversal indicators in filePath parameters; (6) Conduct post-incident forensics to identify any successful exploitations or file modifications.

EUVD-2025-19049 vulnerability details – vuln.today

Back

Novel Plus EUVD-2025-19049

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code