Login Sign Up

CVE-2026-25575

7.5 HIGH
Path Traversal

📋 TL;DR

CVE-2026-25575 is a path traversal vulnerability in NavigaTUM's propose_edits endpoint that allows unauthenticated attackers to overwrite files in writable directories. This could lead to defacement of public images or filling server storage. All NavigaTUM instances prior to commit 86f34c7 are affected.

💻 Affected Systems

Products:
  • NavigaTUM
Versions: All versions prior to commit 86f34c7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the propose_edits endpoint to be accessible and writable directories like /cdn to exist.

📦 What is this software?

Navigatum by Tum

View all CVEs affecting Navigatum →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via file overwrite leading to remote code execution, data destruction, or persistent backdoor installation.

🟠

Likely Case

Website defacement by replacing public images, denial of service by filling storage, or data corruption.

🟢

If Mitigated

No impact if proper input validation and directory restrictions are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP POST with crafted JSON payload containing path traversal sequences.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 86f34c72886a59ec8f1e6c00f78a5ab889a70fd0

Vendor Advisory: https://github.com/TUM-Dev/NavigaTUM/security/advisories/GHSA-59hj-f48w-hjfm

Restart Required: Yes

Instructions:

1. Pull latest NavigaTUM repository. 2. Apply commit 86f34c7. 3. Restart the application server.

🔧 Temporary Workarounds

Disable propose_edits endpoint

all

Temporarily disable the vulnerable endpoint until patching.

Modify application configuration to block access to /propose_edits

Restrict file write permissions

linux

Remove write permissions from application user on sensitive directories.

chmod -R a-w /path/to/cdn
chmod -R a-w /path/to/other/writable/dirs

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block path traversal patterns in JSON payloads.
  • Monitor file system changes in writable directories and alert on unexpected modifications.

🔍 How to Verify

Check if Vulnerable:

Check if commit 86f34c7 is applied: git log --oneline | grep 86f34c7

Check Version:

git rev-parse HEAD

Verify Fix Applied:

Test propose_edits endpoint with traversal payloads; should reject or sanitize input.

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /propose_edits with JSON containing ../ sequences
  • File write operations outside expected temporary directories

Network Indicators:

  • Unusual POST payload sizes to propose_edits endpoint
  • Multiple rapid requests to the same endpoint

SIEM Query:

source="web_logs" AND uri_path="/propose_edits" AND request_body MATCHES ".*\\.\\./.*"

📊 Metadata

CVE ID: CVE-2026-25575
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-23
EPSS Score: 0.03% exploit probability (8.1th percentile)
Published: February 4, 2026
Last Updated: February 11, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25575, you might also want to check these:

CVE-2024-24578 10.0

CVE-2024-24578 is an unauthenticated remote code execution vulnerability in RaspberryMatic/OCCU IoT ...

Same vulnerability type (CWE-23)
CVE-2023-3701 9.9

Aqua Drive version 2.4 has a relative path traversal vulnerability that allows authenticated users t...

Same vulnerability type (CWE-23)
CVE-2024-3025 9.9

This path traversal vulnerability in mintplex-labs/anything-llm allows attackers to read or delete f...

Same vulnerability type (CWE-23)