PT-2025-47121 · Wwwlike · Vlife
R1Ckyz
·
Published
2025-11-17
·
Updated
2025-11-19
·
CVE-2025-13266
CVSS v4.0
5.5
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
wwwlike vlife versions up to 2.0.1
Description
A security issue exists in wwwlike vlife that allows for path traversal. The issue is located in the
create function within the vlife-base/src/main/java/cn/wwwlike/sys/api/SysFileApi.java file of the VLifeApi component. Manipulation of the fileName argument enables remote exploitation. The exploit for this issue has been publicly disclosed.Recommendations
Versions prior to 2.0.1 should be updated. As a temporary workaround, consider restricting access to the
create function within the VLifeApi component until a patch is available. Avoid using untrusted or user-supplied data for the fileName parameter in the affected API endpoint.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vlife