Scan free
HIGHCVE-2025-7146CVSS 7.5

CVE-2025-7146: Path Traversal in iPublish System

Platform

other

Component

ipublish-system

Fixed in

0.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2025-7146 describes a Path Traversal vulnerability discovered in the iPublish System, developed by Jhenggao. This vulnerability allows unauthenticated remote attackers to read arbitrary system files, potentially exposing sensitive information. The vulnerability impacts versions 0–0 of the iPublish System. A fix is available in version 0.0.1.

Impact and Attack Scenarios

The primary impact of CVE-2025-7146 is the ability for an unauthenticated attacker to read any file accessible to the iPublish System process. This includes configuration files, source code, and potentially even sensitive data like database credentials or API keys. Successful exploitation could lead to complete system compromise, data exfiltration, and further malicious activity. While the vulnerability requires no authentication, the attacker must be able to reach the iPublish System over a network.

Exploitation Context

CVE-2025-7146 was publicly disclosed on 2025-07-08. No public proof-of-concept exploits are currently known. The EPSS score is pending evaluation. It is recommended to monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.11% (30% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentipublish-system
VendorJhenggao
Affected rangeFixed in
0 – 00.0.1

Weakness Classification (CWE)

CWE-23

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The recommended mitigation for CVE-2025-7146 is to immediately upgrade to version 0.0.1 of the iPublish System. If upgrading is not immediately feasible, consider implementing strict access controls to the iPublish System server to limit potential attacker access. Network segmentation can also help isolate the system. While a WAF might be able to detect and block attempts to exploit path traversal, it is not a substitute for patching. Monitor system logs for unusual file access patterns.

How to fix

Update to a patched version of the iPublish system. Contact the vendor (Jhenggao) for the latest secure version. If no version is available, consider disabling or replacing the iPublish system.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-7146 — Path Traversal in iPublish System?

CVE-2025-7146 is a vulnerability allowing unauthenticated attackers to read arbitrary files on an iPublish System server. It has a CVSS score of 7.5 (HIGH).

Am I affected by CVE-2025-7146 in iPublish System?

If you are using iPublish System versions 0–0, you are affected. Upgrade to version 0.0.1 to mitigate the risk.

How do I fix CVE-2025-7146 in iPublish System?

The fix is to upgrade to version 0.0.1 of the iPublish System. If immediate upgrade isn't possible, implement strict access controls and network segmentation.

Is CVE-2025-7146 being actively exploited?

Currently, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.

Where can I find the official iPublish System advisory for CVE-2025-7146?

Refer to the Jhenggao website or relevant security mailing lists for the official advisory regarding CVE-2025-7146.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
CVE-2025-7146: Path Traversal in iPublish System | NextGuard