CVE-2025-52562

Name of the Vulnerable Software and Affected Versions: Convoy versions 3.9.0-rc3 through 4.4.0

Description: Convoy is a KVM server management panel for hosting businesses. A directory traversal vulnerability exists in the LocaleController component, allowing an unauthenticated remote attacker to exploit this issue by sending a specially crafted HTTP request with malicious locale and namespace parameters. This enables the attacker to include and execute arbitrary PHP files on the server. The issue has been patched in version 4.4.1. A temporary workaround involves implementing strict Web Application Firewall (WAF) rules to incoming requests targeting the vulnerable endpoints.

Recommendations: For Convoy versions 3.9.0-rc3 through 4.4.0, update to version 4.4.1 to resolve the issue. As a temporary workaround, consider implementing strict Web Application Firewall (WAF) rules to incoming requests targeting the vulnerable endpoints.