Description
Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences. Attackers can exploit the unvalidated filename parameter in the upload_file() handler to bypass path restrictions and write, read, or delete files outside the intended storage directory.
Published: 2026-05-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The supplied endpoint upload_file() in Heym accepts a filename parameter that is used directly to store an uploaded file. The code does not sanitize or validate the filename, allowing an attacker who can authenticate to the application to supply a payload such as ../../../etc/passwd. The unfiltered path components bypass the intended storage directory, enabling an attacker to write arbitrary files with arbitrary names to any location reachable by the web process. This can lead to the creation of malicious binaries, privilege escalation, or the disclosure of sensitive data.

Affected Systems

The vulnerability affects the Heym application version earlier than 0.0.21. The affected vendor is Heym, as listed in the recognized CNA product. All installations running Heym before 0.0.21 are potentially exposed when they expose the upload_file() endpoint to authenticated clients.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity. No EPSS information is available, but the absence of a KEV listing suggests no known public exploitation yet. The path traversal flaw can be leveraged by any authenticated user, implying an internal user or compromised credentials could be used. The risk is significant especially in environments where file uploads are permitted by privileged users, as an attacker could then place code or sensitive files outside the intended directory.

Generated by OpenCVE AI on May 12, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Heym 0.0.21 or later where the path traversal flaw is fixed.
  • If upgrading is not immediately possible, patch the upload_file() handler to validate and sanitize filenames, stripping traversal sequences and limiting the write path to a dedicated directory.
  • Disable file uploads for unauthenticated users or restrict them to a safe directory with strict filename patterns.
  • Consider implementing filesystem ACLs or a chroot environment to limit the web process’s write permissions to the intended storage location.

Generated by OpenCVE AI on May 12, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Heymrun
Heymrun heym
Vendors & Products Heymrun
Heymrun heym

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences. Attackers can exploit the unvalidated filename parameter in the upload_file() handler to bypass path restrictions and write, read, or delete files outside the intended storage directory.
Title Heym < 0.0.21 Path Traversal File Upload via upload_file()
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Heymrun Heym
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:42:22.609Z

Reserved: 2026-05-11T14:14:49.611Z

Link: CVE-2026-45225

cve-icon Vulnrichment

Updated: 2026-05-14T20:01:28.723Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T22:16:37.990

Modified: 2026-05-14T20:17:09.223

Link: CVE-2026-45225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:35:29Z

Weaknesses