CVE-2025-22926

Name of the Vulnerable Software and Affected Versions OS4ED openSIS versions 8.0 through 9.1

Description The issue allows attackers to execute a directory traversal by sending a crafted POST request to "/Modules.php?modname=messaging/Inbox.php&modfunc=save&filename". This enables them to potentially access or manipulate files outside the intended directory structure.

Recommendations For OS4ED openSIS versions 8.0 through 9.1, consider restricting access to the "/Modules.php?modname=messaging/Inbox.php&modfunc=save&filename" endpoint until a patch is available. As a temporary workaround, disabling the save function in the messaging module may help mitigate the risk of exploitation.