Platform
python
Component
openvpn-cms-flask
Fixed in
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
CVE-2025-6776 is a critical Path Traversal vulnerability discovered in xiaoyunjie's openvpn-cms-flask, affecting versions from 1.2.0 through 1.2.7. This flaw allows attackers to potentially access sensitive files on the server by manipulating file upload parameters. A fix is available in version 1.2.8, and users are strongly advised to upgrade immediately.
The Path Traversal vulnerability in openvpn-cms-flask allows an attacker to bypass intended file access restrictions. By crafting malicious requests with manipulated file paths, an attacker can potentially read arbitrary files from the server's file system. This could expose sensitive configuration data, source code, or even user credentials. Successful exploitation could lead to complete compromise of the system, enabling attackers to gain unauthorized access, modify data, or execute arbitrary code. The disclosed nature of this vulnerability significantly increases the risk of exploitation.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While no active campaigns have been definitively linked to CVE-2025-6776 at the time of writing, the availability of a proof-of-concept significantly lowers the barrier to entry for attackers. The vulnerability has been added to the CISA KEV catalog, indicating a heightened level of concern. The ease of exploitation and public disclosure make this a high-priority vulnerability to address.
Exploit Status
EPSS
0.53% (67% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-6776 is to upgrade openvpn-cms-flask to version 1.2.8, which includes the necessary patch (e23559b98c8ea2957f09978c29f4e512ba789eb6). If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting file upload locations and validating file extensions rigorously. Web application firewalls (WAFs) configured to detect and block path traversal attempts can also provide an additional layer of defense. Review and harden file upload configurations to prevent similar vulnerabilities in the future.
Actualice openvpn-cms-flask a la versión 1.2.8 o superior. Esta versión contiene una corrección para la vulnerabilidad de path traversal en la función Upload del archivo controller.py. La actualización evitará que atacantes remotos manipulen el argumento 'image' para acceder a archivos no autorizados.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-6776 is a critical Path Traversal vulnerability affecting openvpn-cms-flask versions 1.2.0–1.2.8, allowing attackers to potentially access sensitive files by manipulating file upload parameters.
If you are using openvpn-cms-flask versions 1.2.0 through 1.2.7, you are affected by this vulnerability. Upgrade to 1.2.8 to mitigate the risk.
Upgrade openvpn-cms-flask to version 1.2.8. Apply the patch with ID e23559b98c8ea2957f09978c29f4e512ba789eb6.
While no active campaigns have been definitively linked, the vulnerability is publicly disclosed and a proof-of-concept is available, increasing the risk of exploitation.
Refer to the official openvpn-cms-flask project repository or relevant security advisories for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.