Vulnerability Description
A path Traversal vulnerability found in FileCodeBox v2.2 and earlier allows arbitrary file writes when application is configured to use local filesystem storage. SystemFileStorage.save_file method in core/storage.py uses filenames from user input without validation to construct save_path and save files. This allows remote attackers to perform arbitrary file writes outside the intended directory by sending crafted POST requests with malicious traversal sequences to /share/file/ upload endpoint, which does not require any authorization.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lanol | Filecodebox | <= 2.2 |
Related Weaknesses (CWE)
References
- https://github.com/vastsa/FileCodeBoxProduct
- https://github.com/vastsa/FileCodeBox/issues/349ExploitIssue Tracking
FAQ
What is CVE-2025-51661?
CVE-2025-51661 is a vulnerability with a CVSS score of 7.5 (HIGH). A path Traversal vulnerability found in FileCodeBox v2.2 and earlier allows arbitrary file writes when application is configured to use local filesystem storage. SystemFileStorage.save_file method in ...
How severe is CVE-2025-51661?
CVE-2025-51661 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-51661?
Check the references section above for vendor advisories and patch information. Affected products include: Lanol Filecodebox.