CVE-2025-13266

CVSS v3.1

5.3

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions wwwlike vlife versions up to 2.0.1

Description A security issue exists in wwwlike vlife that allows for path traversal. The issue is located in the

create

function within the

vlife-base/src/main/java/cn/wwwlike/sys/api/SysFileApi.java

file of the

VLifeApi

component. Manipulation of the

fileName

argument enables remote exploitation. The exploit for this issue has been publicly disclosed.

Recommendations Versions prior to 2.0.1 should be updated. As a temporary workaround, consider restricting access to the

create

function within the

VLifeApi

component until a patch is available. Avoid using untrusted or user-supplied data for the

fileName

parameter in the affected API endpoint.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

CVE-2025-13266

GHSA-CG6M-9276-QPJJ

Vlife