{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-10669", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-09-18T05:34:44.815Z", "datePublished": "2025-09-18T13:32:09.467Z", "dateUpdated": "2025-09-18T13:40:39.251Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-09-18T13:32:09.467Z"}, "title": "Airsonic-Advanced Playlist Upload unrestricted upload", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-434", "lang": "en", "description": "Unrestricted Upload"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "Improper Access Controls"}]}], "affected": [{"vendor": "n/a", "product": "Airsonic-Advanced", "versions": [{"version": "10.0", "status": "affected"}, {"version": "10.1", "status": "affected"}, {"version": "10.2", "status": "affected"}, {"version": "10.3", "status": "affected"}, {"version": "10.4", "status": "affected"}, {"version": "10.5", "status": "affected"}, {"version": "10.6.0", "status": "affected"}], "modules": ["Playlist Upload Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Airsonic-Advanced up to 10.6.0. This vulnerability affects unknown code of the component Playlist Upload Handler. Performing manipulation results in unrestricted upload. It is possible to initiate the attack remotely. The exploit is now public and may be used."}, {"lang": "de", "value": "In Airsonic-Advanced bis 10.6.0 wurde eine Schwachstelle gefunden. Es ist betroffen eine unbekannte Funktion der Komponente Playlist Upload Handler. Durch Manipulation mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Es ist m\u00f6glich, den Angriff aus der Ferne durchzuf\u00fchren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2025-09-18T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-09-18T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-09-18T07:40:15.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "mikecole-mg (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.324790", "name": "VDB-324790 | Airsonic-Advanced Playlist Upload unrestricted upload", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.324790", "name": "VDB-324790 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.652356", "name": "Submit #652356 | GitHub Airsonic-Advanced 10.6.0 OS Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/mikecole-mg/security_findings/blob/main/airsonic-advanced/airsonic-rce.md", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-18T13:40:29.757269Z", "id": "CVE-2025-10669", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-18T13:40:39.251Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10669", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-18T13:40:29.757269Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-18T13:40:35.839Z"}}], "cna": {"title": "Airsonic-Advanced Playlist Upload unrestricted upload", "credits": [{"lang": "en", "type": "reporter", "value": "mikecole-mg (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "n/a", "modules": ["Playlist Upload Handler"], "product": "Airsonic-Advanced", "versions": [{"status": "affected", "version": "10.0"}, {"status": "affected", "version": "10.1"}, {"status": "affected", "version": "10.2"}, {"status": "affected", "version": "10.3"}, {"status": "affected", "version": "10.4"}, {"status": "affected", "version": "10.5"}, {"status": "affected", "version": "10.6.0"}]}], "timeline": [{"lang": "en", "time": "2025-09-18T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-09-18T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-09-18T07:40:15.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.324790", "name": "VDB-324790 | Airsonic-Advanced Playlist Upload unrestricted upload", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.324790", "name": "VDB-324790 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.652356", "name": "Submit #652356 | GitHub Airsonic-Advanced 10.6.0 OS Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/mikecole-mg/security_findings/blob/main/airsonic-advanced/airsonic-rce.md", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Airsonic-Advanced up to 10.6.0. This vulnerability affects unknown code of the component Playlist Upload Handler. Performing manipulation results in unrestricted upload. It is possible to initiate the attack remotely. The exploit is now public and may be used."}, {"lang": "de", "value": "In Airsonic-Advanced bis 10.6.0 wurde eine Schwachstelle gefunden. Es ist betroffen eine unbekannte Funktion der Komponente Playlist Upload Handler. Durch Manipulation mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Es ist m\u00f6glich, den Angriff aus der Ferne durchzuf\u00fchren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "Unrestricted Upload"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "Improper Access Controls"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-09-18T13:32:09.467Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10669", "state": "PUBLISHED", "dateUpdated": "2025-09-18T13:40:39.251Z", "dateReserved": "2025-09-18T05:34:44.815Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-09-18T13:32:09.467Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Airsonic-Advanced up to 10.6.0. This vulnerability affects unknown code of the component Playlist Upload Handler. Performing manipulation results in unrestricted upload. It is possible to initiate the attack remotely. The exploit is now public and may be used."}], "id": "CVE-2025-10669", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-09-18T14:15:48.890", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/mikecole-mg/security_findings/blob/main/airsonic-advanced/airsonic-rce.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.324790"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.324790"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.652356"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{"created": "2025-09-19T09:36:31.386630+00:00", "updated": "2025-09-19T09:36:31.386714+00:00", "vendors": ["airsonic", "airsonic$PRODUCT$airsonic"]}