CVE-2025-15589 – This CVE describes a path traversal vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-15589?

CVE-2025-15589 has a CVSS score of 3.8 (LOW). This CVE describes a path traversal vulnerability in MuYuCMS 2.7's Template Management Page. Attackers can remotely exploit the delete_dir_file function to delete arbitrary files on the server. All MuYuCMS 2.7 installations with the vulnerable component are affected.

📋 TL;DR

This CVE describes a path traversal vulnerability in MuYuCMS 2.7's Template Management Page. Attackers can remotely exploit the delete_dir_file function to delete arbitrary files on the server. All MuYuCMS 2.7 installations with the vulnerable component are affected.

💻 Affected Systems

Products:

MuYuCMS

Versions: 2.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires access to the Template Management Page, which may require authentication.

📦 What is this software?

Muyucms by Muyucms

View all CVEs affecting Muyucms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, leading to service disruption, data loss, or privilege escalation.

🟠

Likely Case

Website defacement, data deletion, or service disruption by deleting web application files.

🟢

If Mitigated

Limited impact if proper file permissions and web server sandboxing are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authentication to the admin interface. Public PoC available at the provided GitHub gist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or apply workarounds.

🔧 Temporary Workarounds

Input Validation Sanitization

all

Add input validation to the delete_dir_file function to prevent path traversal.

Edit application/admin/controller/Template.php to sanitize the 'temn/tp' parameter before processing.

Access Restriction

all

Restrict access to the Template Management Page to trusted IP addresses only.

Configure web server (e.g., Apache .htaccess or Nginx location block) to allow only specific IPs to /admin/controller/Template.php

🧯 If You Can't Patch

Disable or remove the Template Management Page if not in use.
Implement strict file permissions and use a web server sandbox to limit file deletion scope.

🔍 How to Verify

Check if Vulnerable:

Check if MuYuCMS version is 2.7 and the file application/admin/controller/Template.php exists with the vulnerable delete_dir_file function.

Check Version:

Check the MuYuCMS configuration or version file, typically in the root directory.

Verify Fix Applied:

Test the Template Management Page with path traversal payloads to ensure they are blocked or sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual file deletion logs in web server or application logs, especially involving path traversal patterns (e.g., '../').

Network Indicators:

HTTP requests to /admin/controller/Template.php with parameters containing path traversal sequences.

SIEM Query:

source="web_logs" AND uri="/admin/controller/Template.php" AND (param="../" OR param="..\\")

📊 Metadata

CVE ID: CVE-2025-15589

CVSS v3 Score: 3.8 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-22

Published: February 24, 2026

Last Updated: February 26, 2026

🔗 References

https://gist.github.com/b1uel0n3/275ac353537ecf4c8973d33fa0d5b0fe Exploit,Third Party Advisory
https://gist.github.com/b1uel0n3/275ac353537ecf4c8973d33fa0d5b0fe#proof-of-concept Exploit,Third Party Advisory
https://vuldb.com/?ctiid.336710 Permissions Required,VDB Entry
https://vuldb.com/?id.336710 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.702489 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15589, you might also want to check these: