CVE-2025-14521 | baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c download filename path traversal

A vulnerability described as critical has been identified in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The affected element is an unknown function of the file /admin/index.php/datafile/download. Such manipulation of the argument filename leads to path traversal.

This vulnerability is listed as CVE-2025-14521. The attack may be performed from remote. In addition, an exploit is available.

This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2025-14521 | baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c download filename path traversal

Post correlati

CVE-2024-5680 | Schneider Electric EcoStruxure Foxboro DCS Core Control Services up to 9.8 Foxboro.sys array index (SEVD-2024-191-02)

CVE-2024-3128 | Replify-Messenger 1.0 on Android Backup File androidmanifest.xml backup

CVE-2025-61080 | Clear2Pay Bank Visibility Application 1.10.0.104 ID cross site scripting

CVE-2023-42017 | IBM Planning Analytics 2.0 HTTP Request unrestricted upload (XFDB-265567)