CVE-2026-45225

Name of the Vulnerable Software and Affected Versions Heym versions prior to 0.0.21

Description Authenticated users can write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences. This occurs due to an unvalidated filename parameter in the upload file() handler within the file upload endpoint, allowing attackers to bypass path restrictions to write, read, or delete files outside the intended storage directory. Path traversal is a technique used to access files and directories that are stored outside the web root folder.

Recommendations Update to version 0.0.21 or later. As a temporary workaround, restrict access to the upload file() handler to minimize the risk of exploitation.