Description
Directory traversal in Follett Software's Destiny Library Manager 22_0_2_rc1 and fixed in v.22.5 AU1 allows remote attackers to read arbitrary system and application files via the image parameter
Published: 2026-05-22
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic directory traversal flaw that permits a remote attacker to construct a malicious image parameter and read arbitrary files from the system hosting Follett Library Manager. Because the parameter is processed without proper validation, the attacker can access sensitive configuration or credential files as well as other system data.

Affected Systems

Users of Follett Software’s Destiny Library Manager version 22_0_2_rc1 are affected. The flaw is fixed by the 22.5 AU1 release and all later versions. No other product or vendor is explicitly reported as impacted.

Risk and Exploitability

The flaw is reachable via a remote request to the image parameter, with no authentication required. EPSS is not available and the vulnerability is not listed in the KEV catalog, so the likelihood of widespread exploitation is uncertain, but the CVSS score of 7.5 indicates a medium‑to‑high severity, underscoring the potential for significant data disclosure if exploited.

Generated by OpenCVE AI on May 22, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 22.5 AU1 or a later release of Follett Library Manager to eliminate the directory traversal flaw.
  • If an upgrade cannot be applied immediately, configure web server or application layer rules to block or sanitize the image parameter so that it cannot reference paths outside the intended directory.
  • Apply network segmentation or firewall rules to restrict external access to the Destiny Library Manager endpoints, reducing the attack surface for directory traversal attempts.

Generated by OpenCVE AI on May 22, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title Directory Traversal Allowing Remote File Read in Follett Destiny Library Manager Directory Traversal Allows Remote File Read in Follett Destiny Library Manager

Fri, 22 May 2026 16:00:00 +0000

Type Values Removed Values Added
Title Directory Traversal Allowing Remote File Read in Follett Destiny Library Manager

Fri, 22 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Directory traversal in Follett Software's Destiny Library Manager 22_0_2_rc1 and fixed in v.22.5 AU1 allows remote attackers to read arbitrary system and application files via the image parameter
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-22T14:52:28.087Z

Reserved: 2025-04-22T00:00:00.000Z

Link: CVE-2025-45145

cve-icon Vulnrichment

Updated: 2026-05-22T14:50:25.747Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T17:00:15Z

Weaknesses