Description
SunFounder Pironman Dashboard (pm_dashboard) version 1.3.13 and prior contain a path traversal vulnerability in the log file API endpoints. An unauthenticated remote attacker can supply traversal sequences via the filename parameter to read and delete arbitrary files. Successful exploitation can disclose sensitive information and delete critical system files, resulting in data loss and potential system compromise or denial of service.
Published: 2026-01-31
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Manipulation
Action: Patch Now
AI Analysis

Impact

SunFounder Pironman Dashboard (pm_dashboard) exposes a path traversal weakness in its log file API endpoints. An unauthenticated attacker can supply traversal sequences in the filename parameter to read or delete any file on the host. This flaw enables confidentiality violations, data loss, and potential system compromise or denial of service if critical configuration or code files are removed.

Affected Systems

The vulnerability affects SunFounder's Pironman Dashboard version 1.3.13 and all earlier releases. Systems running these versions are susceptible to arbitrary file read and deletion unless the API is disabled or filtered.

Risk and Exploitability

With a CVSS score of 9.3 the flaw is rated critical. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of current exploitation. Nonetheless, the impact is severe: an attacker needs only to send a crafted HTTP request to the log file API, which is unauthenticated and remote, to read sensitive data or erase system files. Monitoring for anomalous endpoints and applying the fix should be a top priority.

Generated by OpenCVE AI on April 18, 2026 at 00:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of Pironman Dashboard that has fixed the path traversal issue.
  • Configure the application or surrounding firewall to reject traversal sequences by validating file paths or disabling the vulnerable API endpoint.
  • If the upgrade cannot be performed immediately, restrict network access to the log file API to trusted internal hosts and enable system monitoring for unauthorized file reads or deletions.

Generated by OpenCVE AI on April 18, 2026 at 00:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Sunfounder
Sunfounder pironman Dashboard
Vendors & Products Sunfounder
Sunfounder pironman Dashboard

Mon, 02 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 01 Feb 2026 07:00:00 +0000

Type Values Removed Values Added
References

Sun, 01 Feb 2026 00:00:00 +0000

Type Values Removed Values Added
Description SunFounder Pironman Dashboard (pm_dashboard) version 1.3.13 and prior contain a path traversal vulnerability in the log file API endpoints. An unauthenticated remote attacker can supply traversal sequences via the filename parameter to read and delete arbitrary files. Successful exploitation can disclose sensitive information and delete critical system files, resulting in data loss and potential system compromise or denial of service.
Title SunFounder Pironman Dashboard <= 1.3.13 Path Traversal Arbitrary File Read/Deletion
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Sunfounder Pironman Dashboard
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-02-02T20:02:08.707Z

Reserved: 2026-01-28T21:47:35.120Z

Link: CVE-2026-25069

cve-icon Vulnrichment

Updated: 2026-02-02T20:02:04.558Z

cve-icon NVD

Status : Deferred

Published: 2026-02-01T00:16:19.107

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:00:11Z

Weaknesses