{"id":"CVE-2025-51661","details":"A path Traversal vulnerability found in FileCodeBox v2.2 and earlier allows arbitrary file writes when application is configured to use local filesystem storage. SystemFileStorage.save_file method in core/storage.py uses filenames from user input without validation to construct save_path and save files. This allows remote attackers to perform arbitrary file writes outside the intended directory by sending crafted POST requests with malicious traversal sequences to /share/file/ upload endpoint, which does not require any authorization.","modified":"2026-04-10T05:30:25.309262Z","published":"2025-11-19T20:15:52.867Z","references":[{"type":"REPORT","url":"https://github.com/vastsa/FileCodeBox/issues/349"},{"type":"PACKAGE","url":"https://github.com/vastsa/FileCodeBox"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vastsa/filecodebox","events":[{"introduced":"0"},{"last_affected":"17331112b43c1d97256e2d8e7e16d76e3b0a3b60"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.2"}]}}],"versions":["2.2","Main","V1.1","V1.2","V1.4","V1.4.1","V1.4.3","V1.4.4","V1.4.5","V1.5.1","V1.5.2","V1.5.3","V1.5.4","V1.5.6","V1.5.7","V1.5.9","V1.5.9.1","V1.5.9.2","V1.6","V1.7Beta","V2.0","V2.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-51661.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}