CVE-2025-14521

Name of the Vulnerable Software and Affected Versions baowzh hfly versions prior to 638ff9abe9078bc977c132b37acbe1900b63491c

Description A security issue exists in baowzh hfly that allows for path traversal. This occurs due to manipulation of the filename argument in the /admin/index.php/datafile/download API endpoint. The vulnerability is present in an unknown function within the /admin/index.php/datafile/download file. The exploit has been publicly disclosed and may be used remotely. The vendor was notified but did not respond.

Recommendations Apply updates to versions prior to 638ff9abe9078bc977c132b37acbe1900b63491c. As a temporary workaround, restrict access to the /admin/index.php/datafile/download API endpoint. Avoid using the filename parameter in the /admin/index.php/datafile/download API endpoint until the issue is resolved.