CVE-2026-25575

Name of the Vulnerable Software and Affected Versions NavigaTUM versions prior to commit 86f34c7

Description NavigaTUM is a website and API used for searching locations. A path traversal flaw exists in the propose edits API endpoint, allowing unauthenticated users to overwrite files in directories accessible to the application user, such as /cdn. This is achieved by providing unsanitized file keys containing traversal sequences (e.g., ../../) within the JSON payload, enabling attackers to bypass the intended temporary directory and potentially replace public images or exhaust server storage.

API Endpoints /propose edits

Vulnerable Parameters or Variables file keys (within the JSON payload)

Recommendations Update NavigaTUM to commit 86f34c7 or later.